Researchers uncovered a critical operational security (OPSEC) failure by the Medusa Ransomware Group, allowing them to access the group’s cloud storage, revealing a trove of exfiltrated data from various victims.
The incident came to light during a ransomware response operation. Investigators found that Medusa had used Rclone, a popular data transfer tool, to move stolen information to their cloud account. Unlike many ransomware groups that prefer mega.nz or mega.io, Medusa opted for put.io as their storage platform.
Medusa Ransomware OPSEC Failure
The MEDUSA ransomware group had first come to the attention of security researchers in June 2021 after targeting several countries across different industries, including healthcare, education, manufacturing, and retail.
The threat actors’ mistake was leaving behind a configuration file after dropping rclone.exe in the C:\Windows\AppCompat\ directory. This file contained the put.io token, which typically requires additional credentials for full access. Rclone which provides support for the integration with over 70 cloud providers, seeing increased usage among ransomware groups.
However, the Dark Atlas Squad discovered they could authenticate using only this token. By employing Burp Suite to replace their own token with Medusa’s, they gained complete access to the group’s cloud repositories.
This breach revealed the email address associated with Medusa’s account: [email protected]. More importantly, it exposed data stolen from numerous victims, including the Kansas City Area Transportation Authority.
Recovery and Prevention
Acting swiftly, the team developed a Python script to automate the recovery of stolen data. They created zip files and downloaded them, racing against time to complete the task before Medusa could detect the intrusion.
The researchers then began deleting sensitive files belonging to victims and reached out to as many affected parties as possible to assist with recovery.
To help prevent future incidents, the security research team created a Sigma rule designed to detect DNS queries related to put.io within networks. This rule, while potentially generating false positives from legitimate put.io usage, serves as a valuable tool for identifying suspicious activity.
As ransomware groups continue to evolve their tactics, this incident potential for turning attackers’ mistakes into opportunities for defense and recovery.
Earlier in June 2024, the ransomware group demanded bounties of US $120,000 from Fitzgerald, DePietro & Wojnas CPAs, P.C and $100,000 from Tri-City College Prep High School to prevent publicizing stolen data from these institutions.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
