Medusa Ransomware Groups OPSEC Failure Infiltrating Their Cloud Storage Blog Dark Atlas Dark Web Monitoring Platform Compromised Credentials Monitoring Account Takeover Prevention Platform Threat Intelligence Buguard

pIn the evolving threat landscape threat actors and ransomware groups continually adapt and refine their methodologies to execute data exfiltration operations for either espionage or extortion purposesppAt Buguard HUMINT Unit Dark Atlas Squad we recently responded to a ransomware incident carried out by Medusa Ransomware Group Their OPSEC failure allowed us to infiltrate their cloud account for a certain amount of time and access the data they had been exfiltrating over timeppIn this case Medusa Group utilized the infamous exfiltration tool Rclone which many ransomware groups use to exfiltrate data from the victim to their cloud accountppRclone supports over 70 cloud providers for data transfer with services like meganz and megaio being the most frequently used by ransomware groups Notably we observed Medusa utilizing putio to store their exfiltrated data This was discovered when accessing the configuration file they inadvertently left behindppDuring our investigation We observed the threat actor dropped rcloneexe to the following location CWindowsAppCompatppRclone offers two options for users to set their configuration either by passing a configuration file or through shell interactive mode In this case the former was usedppInterestingly upon inspecting the conftxt file located in the same directory as Rclone we observed that the actor utilized the putio service to exfiltrate data from the DCppUpon identifying the putio token we reviewed the putio API documentation We discovered that full authentication required a clientid and clientsecret which we did not haveppInstead of using the official API we explored the application as regular users and found that a single token could fully authenticate us Using Burp Suite we replaced our token with Medusas token gaining full access to their cloud repositoriesppThe email associated with their account was pussinputsonionmailorgppThis access allowed us to see all the exfiltrated data from victims including the Kansas City Area Transportation Authority KCATAppThen we started recapturing our customers stolen data by creating zips and downloading themppWe wanted to do the same for all the affected victims by the Medusa GangWe automated this process using a Python script to complete the task swiftly before the attackers noticedppOnce we did this we started to delete some sensitive files belonging to the victimsppWe contacted as many victims as possible and helped them to complete the recovery processppFinally Dark Atlas Squad crafted a sigma rule to help detect such incidents inside your networkppThats it for today Thank you for reading Shout out to our beaconexe GeneralEG for this researchppStay safe and if you ever face ransomware or a data breach Email us at HelloDarkatlasioppCopyright 2024 Buguard LLC All Rights Reserved p