Derin Analiz - Medusa Ransomware | Tehdit: KRITIK

Dosya Kimligi

SHA2562e62a782c84149953dd216d96fec8e0f4d4b568525bbaa0574b1aad2530d28e0
Boyut317,440 byte (310 KB) PE32 console x86
Entropi6.58 (normal - packed degil)
Section5 section, TLS found
PDBG:\Medusa\Release\gaze.pdb

MedusaCrypt C++ Sinifi

KRITIK: .?AVCMedusaCrypt@@ - Medusa ransomware'in C++ sinifi! Kaynak koddan derlenmis!
.?AVCMedusaCrypt@@    <- BCrypt ile dosya sifreleme sinifi\nPDB yolu: G:\Medusa\Release\gaze.pdb\nDerleme: MSVC Release x86 (Debug sembolleri silindi)

Cift Gasp (Double Extortion)

CIFT GASP: Medusa hem dosyalari sifreler hem de verileri calar!
"2. We have ENCRYPTED some your files."\n\n"After paying for the data breach and decryption, we guarantee\n that your data will never be leaked and this is also for\n our reputation."\n\n"And we have extracted all of your networks including sub offices\n and your service clients networks valuable data and copied them\n to private cloud storage."

Sifreleme Mimarisi

BCryptEncrypt           <- simetrik dosya sifreleme\nBCryptCreateHash        <- dosya hash dogrulama\nBCryptDestroyKey        <- anahtar temizleme\nBCryptCloseAlgorithmProvider\n-----BEGIN PUBLIC KEY----- (gomulu RSA offentlicher Schlussel)\n-----END PUBLIC KEY-----   <- RSA ile AES anahtari sifreleme\n\nSifreleme: AES (simetrik) + RSA (anahtar sarma) hibrit mimari\nFidye notunda TOR browser kullanimi gerektirilir.

Yedekleme Servisleri Hedefi

Medusa, fidye odenmeden kurtarmayi engellemek icin:\n  MSSQL$VEEAMSQL2008R2      <- Veeam SQL yedekleme servisi\n  SQLAgent$VEEAMSQL2008R2   <- Veeam SQL Agent\n  wbengine                  <- Windows Backup Engine\n  zoolz.exe / Zoolz 2 Service <- Bulut yedekleme servisi

IOC

SHA2562e62a782c84149953dd216d96fec8e0f4d4b568525bbaa0574b1aad2530d28e0
C++ Sinif.?AVCMedusaCrypt@@ (MedusaCrypt)
PDBG:\Medusa\Release\gaze.pdb
SifrelemeBCryptEncrypt (AES) + RSA kamu anahtari
Hedef ServislerVeeam, WBEngine, Zoolz (yedek engellemesi)
GaspCift gasp: dosya sifreleme + veri sizma

MedusaRansomware — Malware Profile

Medusa ransomware BCrypt AES+RSA hibrit sifreleme kullanan cift gaspc. Dosyalari BCryptEncrypt ile sifreler, RSA kamu anahtari ile AES anahtarini korur. Veeam (VEEAMSQL2008R2), Windows Backup Engine (wbengine) ve Zoolz bulut yedekleme servislerini durdurur. Veri sizintisi tehdidi ile cift gasp (double extortion) yapar.

Malware Type
Ransomware
Programming Language
C++
C2 Protocol
Target Systems
Windows
Also Known As (AKA)
MedusaLocker

Capabilities & Behavior

Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)

IOC List (1 indicators)

IOC — MedusaRansomware
# SHA256 2e62a782c84149953dd216d96fec8e0f4d4b568525bbaa0574b1aad2530d28e0
TypeValueNote
sha256 2e62a782c84149953dd216d96fec8e0f4d4b568525bbaa0574b1aad2530d28e0
Tags
medusa-ransomware-double-extortioncmedusacrypt-cpp-classbcryptencrypt-aes-rsa-hybridveeam-backup-kill-veeamsql2008r2wbengine-windows-backup-killzoolz-cloud-backup-killpdb-gaze-release-medusa-builderrsa-public-key-embedded-encryptiontor-browser-ransom-paymentprivate-cloud-exfiltrationtls-found-anti-analysisdata-breach-threat-extortion