Derin Analiz - Medusa Ransomware | Tehdit: KRITIK
Dosya Kimligi
| SHA256 | 2e62a782c84149953dd216d96fec8e0f4d4b568525bbaa0574b1aad2530d28e0 |
|---|---|
| Boyut | 317,440 byte (310 KB) PE32 console x86 |
| Entropi | 6.58 (normal - packed degil) |
| Section | 5 section, TLS found |
| PDB | G:\Medusa\Release\gaze.pdb |
MedusaCrypt C++ Sinifi
KRITIK: .?AVCMedusaCrypt@@ - Medusa ransomware'in C++ sinifi! Kaynak koddan derlenmis!
.?AVCMedusaCrypt@@ <- BCrypt ile dosya sifreleme sinifi\nPDB yolu: G:\Medusa\Release\gaze.pdb\nDerleme: MSVC Release x86 (Debug sembolleri silindi)
Cift Gasp (Double Extortion)
CIFT GASP: Medusa hem dosyalari sifreler hem de verileri calar!
"2. We have ENCRYPTED some your files."\n\n"After paying for the data breach and decryption, we guarantee\n that your data will never be leaked and this is also for\n our reputation."\n\n"And we have extracted all of your networks including sub offices\n and your service clients networks valuable data and copied them\n to private cloud storage."
Sifreleme Mimarisi
BCryptEncrypt <- simetrik dosya sifreleme\nBCryptCreateHash <- dosya hash dogrulama\nBCryptDestroyKey <- anahtar temizleme\nBCryptCloseAlgorithmProvider\n-----BEGIN PUBLIC KEY----- (gomulu RSA offentlicher Schlussel)\n-----END PUBLIC KEY----- <- RSA ile AES anahtari sifreleme\n\nSifreleme: AES (simetrik) + RSA (anahtar sarma) hibrit mimari\nFidye notunda TOR browser kullanimi gerektirilir.
Yedekleme Servisleri Hedefi
Medusa, fidye odenmeden kurtarmayi engellemek icin:\n MSSQL$VEEAMSQL2008R2 <- Veeam SQL yedekleme servisi\n SQLAgent$VEEAMSQL2008R2 <- Veeam SQL Agent\n wbengine <- Windows Backup Engine\n zoolz.exe / Zoolz 2 Service <- Bulut yedekleme servisi
IOC
| SHA256 | 2e62a782c84149953dd216d96fec8e0f4d4b568525bbaa0574b1aad2530d28e0 |
|---|---|
| C++ Sinif | .?AVCMedusaCrypt@@ (MedusaCrypt) |
| PDB | G:\Medusa\Release\gaze.pdb |
| Sifreleme | BCryptEncrypt (AES) + RSA kamu anahtari |
| Hedef Servisler | Veeam, WBEngine, Zoolz (yedek engellemesi) |
| Gasp | Cift gasp: dosya sifreleme + veri sizma |
MedusaRansomware — Malware Profile
Medusa ransomware BCrypt AES+RSA hibrit sifreleme kullanan cift gaspc. Dosyalari BCryptEncrypt ile sifreler, RSA kamu anahtari ile AES anahtarini korur. Veeam (VEEAMSQL2008R2), Windows Backup Engine (wbengine) ve Zoolz bulut yedekleme servislerini durdurur. Veri sizintisi tehdidi ile cift gasp (double extortion) yapar.
Malware Type
Ransomware
Programming Language
C++
C2 Protocol
—
Target Systems
Windows
Also Known As (AKA)
MedusaLocker
Capabilities & Behavior
Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)
IOC List (1 indicators)
IOC — MedusaRansomware
# SHA256
2e62a782c84149953dd216d96fec8e0f4d4b568525bbaa0574b1aad2530d28e0
| Type | Value | Note |
|---|---|---|
| sha256 | 2e62a782c84149953dd216d96fec8e0f4d4b568525bbaa0574b1aad2530d28e0 |