Derin Analiz - Medusa Ransomware | Tehdit: KRITIK

Fichier Kimligi

SHA2562e62a782c84149953dd216d96fec8e0f4d4b568525bbaa0574b1aad2530d28e0
Taille317,440 byte (310 KB) PE32 console x86
Entropi6.58 (normal - packed degil)
Section5 section, TLS found
PDBG:\Medusa\Release\gaze.pdb

MedusaCrypt C++ Sinifi

KRITIK: .?AVCMedusaCrypt@@ - Medusa ransomware'in C++ sinifi! Kaynak koddan derlenmis!
.?AVCMedusaCrypt@@    <- BCrypt ile dosya sifreleme sinifi\nPDB yolu: G:\Medusa\Release\gaze.pdb\nDerleme: MSVC Release x86 (Debug sembolleri silindi)

Cift Gasp (Double Extortion)

CIFT GASP: Medusa hem dosyalari sifreler hem de verileri calar!
"2. We have ENCRYPTED some your files."\n\n"After paying for the data breach and decryption, we guarantee\n that your data will never be leaked and this is also for\n our reputation."\n\n"And we have extracted all of your networks including sub offices\n and your service clients networks valuable data and copied them\n to private cloud storage."

Sifreleme Architecturesi

BCryptEncrypt           <- simetrik dosya sifreleme\nBCryptCreateHash        <- dosya hash dogrulama\nBCryptDestroyKey        <- anahtar temizleme\nBCryptCloseAlgorithmProvider\n-----BEGIN PUBLIC KEY----- (gomulu RSA offentlicher Schlussel)\n-----END PUBLIC KEY-----   <- RSA ile AES anahtari sifreleme\n\nSifreleme: AES (simetrik) + RSA (anahtar sarma) hibrit mimari\nFidye notunda TOR browser kullanimi gerektirilir.

Yedekleme Servisleri Hedefi

Medusa, fidye odenmeden kurtarmayi engellemek icin:\n  MSSQL$VEEAMSQL2008R2      <- Veeam SQL yedekleme servisi\n  SQLAgent$VEEAMSQL2008R2   <- Veeam SQL Agent\n  wbengine                  <- Windows Backup Engine\n  zoolz.exe / Zoolz 2 Service <- Bulut yedekleme servisi

IOC

SHA2562e62a782c84149953dd216d96fec8e0f4d4b568525bbaa0574b1aad2530d28e0
C++ Sinif.?AVCMedusaCrypt@@ (MedusaCrypt)
PDBG:\Medusa\Release\gaze.pdb
SifrelemeBCryptEncrypt (AES) + RSA kamu anahtari
Hedef ServislerVeeam, WBEngine, Zoolz (yedek engellemesi)
GaspCift gasp: dosya sifreleme + veri sizma

MedusaRansomware — Profil du malware

Medusa ransomware BCrypt AES+RSA hibrit sifreleme kullanan cift gaspc. Dosyalari BCryptEncrypt ile sifreler, RSA kamu anahtari ile AES anahtarini korur. Veeam (VEEAMSQL2008R2), Windows Backup Engine (wbengine) ve Zoolz bulut yedekleme servislerini durdurur. Veri sizintisi tehdidi ile cift gasp (double extortion) yapar.

Type de malware
Ransomware
Langage de programmation
C++
Protocole C2
Systèmes ciblés
Windows
Aussi connu sous (AKA)
MedusaLocker

Capacités et comportement

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

Liste IOC (1 indicateurs)

IOC — MedusaRansomware
# SHA256 2e62a782c84149953dd216d96fec8e0f4d4b568525bbaa0574b1aad2530d28e0
TypeValeurNote
sha256 2e62a782c84149953dd216d96fec8e0f4d4b568525bbaa0574b1aad2530d28e0
Tags
medusa-ransomware-double-extortioncmedusacrypt-cpp-classbcryptencrypt-aes-rsa-hybridveeam-backup-kill-veeamsql2008r2wbengine-windows-backup-killzoolz-cloud-backup-killpdb-gaze-release-medusa-builderrsa-public-key-embedded-encryptiontor-browser-ransom-paymentprivate-cloud-exfiltrationtls-found-anti-analysisdata-breach-threat-extortion