Medusa ransomware was first identified in June 2021 and has quickly become a major cybersecurity threat. In February 2023, it escalated its impact by introducing a dedicated data leak site.
When your systems are infected with Medusa (or any form of ransomware), you will typically see a notification similar to the one displayed here, signalling that a cybercrime group is demanding a ransom to release your compromised systems and stolen data.
Imagine discovering a break-in at your office; your immediate reaction would likely be to call the police, refrain from touching anything, and allow authorities to gather evidence.
A cyberattack demands the same level of caution. Your compromised digital environment is a crime scene, and it’s critical that you leave it undisturbed for forensic investigation.
This isn't a task for your IT team or Managed Service Provider (MSP). Digital Forensic experts are available around the clock, much like law enforcement at the scene of a physical crime.
If you come across a ransom message on your system, such as the one shown, you are likely dealing with a Medusa attack.
Medusa ransomware was first identified in June 2021 and has since become a major cyber threat, growing significantly in prominence with the establishment of a dark web data leak site in February 2023. This development marked an escalation in its operations. Medusa is particularly notorious for its high-profile attacks on large corporations in the United States. It follows the Ransomware-as-a-Service (RaaS) model, partnering with affiliates across the globe to enhance the scope of its attacks.
Medusa is recognised for its sophisticated techniques, with each infected file being marked by unique extensions, including the ".MEDUSA" identifier. The ransomware employs a double extortion strategy, both encrypting and exfiltrating data. While phishing emails are the primary method of infection, the group has also used initial access brokers to assist in breaching networks. Once inside, Medusa targets vulnerable public-facing systems, such as unpatched Microsoft Exchange servers, to further its attacks.
Medusa employs a malicious technique known as double extortion to escalate the pressure and urgency of their ransom demands. In this approach, the attackers not only encrypt the targeted data but also threaten to expose or sell it if the ransom is not paid.
Medusa Ransomware was first detected in June 2021. Since then, it has successfully targeted 467 victims worldwide.
With round-the-clock availability every day of the year, Solace Cyber has delivered Digital Forensic Incident Response services across hundreds of successful recovery operations in Australia.
Solace Cyber’s track record includes hundreds of successful response recoveries, providing Digital Forensic Incident Response services, 24x7x365.
“The average annual cost of cybercrime for UK businesses is estimated at approximately £15,300 per victim.”
Read more...
When a cyber incident occurs, take these immediate actions:
Solace Cyber acts as your specialist digital forensics partner in Australia, helping restore normal operations swiftly. Our response includes:
Recovery timelines typically range from 2 weeks to 2 months, depending on the incident's scope.
Solace Cyber delivers global risk and security services across Australia, specialising in travel, crisis support, and offshore risk management. The organisation runs a fully staffed security operations centre around the clock and maintains an internal intelligence unit that produces routine daily and weekly updates. The business is certified to ISO 27001, ISO 14001, ISO 45001, and ISO 9001 standards.
Founded in the UK in 2021, Solace Cyber has grown its presence throughout Australia, concentrating on cyber incident handling, including digital forensics, incident response, ransomware events, information security, and wider risk management, supported by managed security services. The senior leadership team has more than two decades of combined experience across security and IT.
s
%+
Specialist forensic investigation and secure restoration demand focused expertise that standard IT departments rarely possess. Your internal teams excel at day-to-day technology support, but ransomware response requires dedicated capabilities they typically lack.
Consider these key challenges facing in-house teams:
We created Solace Cyber specifically to address ransomware incidents through our structured 6-phase methodology:
Our comprehensive forensic investigation begins at phase 2, forming the foundation of your business continuity plan. This detailed analysis proves essential for:
We execute our evidence examination according to a carefully structured protocol designed to identify root causes quickly. This discovery directly informs our eradication strategy and recovery plan, while building the evidence base for potential legal action. Through legal proceedings, we can help secure court orders preventing criminals from publishing your data, effectively nullifying their ransom demands.
Throughout your incident response, our Digital Forensic and Incident Response specialists maintain continuous coordination. Your dedicated Incident Manager and technical leads deliver regular progress updates, manage risk documentation, and operate within your change control frameworks from initial triage through final recovery.
At Solace Cyber, our services extend beyond recovery. Once your operations are restored, we collaborate with you to reinforce your cybersecurity. With a threat-informed strategy, we implement a robust framework to fortify your security and better protect against future attacks.
Medusa ransomware is a type of ransomware that operates through the Ransomware-as-a-Service (RaaS) model, working alongside global affiliates to maximise its reach and impact.
There are several potential entry points for Medusa ransomware into your system, including:
To prevent such attacks, we recommend implementing the following measures:
Following recovery from Medusa, Solace Cyber advises updating your business continuity plan to reflect any insights gained during the attack and recovery process.
The average cost of a ransomware attack is approximately £500K, while smaller email data breaches typically result in losses around £50K. The longer it takes to identify and resolve a breach, the higher the costs, making it critical to balance forensic analysis with quick recovery efforts to minimise disruption.
Cybersecurity insurance claims are complex, covering investigation, remediation, legal fees, business interruption, criminal and employment liability, as well as ransom payments. While insurers play a role in facilitating recovery, the cyber insurance market is unpredictable, and many policies are inadequately validated.
Navigating through these complexities requires expertise, and Solace Cyber is here to provide support.
Criminal groups like Medusa profit by hiring affiliates to carry out cyberattacks using their proprietary malware, which is known for its fast and effective encryption. Even after paying the ransom, the likelihood of successfully decrypting files and restoring data is slim, highlighting the need for a dedicated ransomware incident response team.
Important Reminder: Paying ransoms to individuals subject to financial sanctions is a criminal offence. The list of those under sanctions is constantly updated.
Yes, as it is possible that some of the lost data may include "Personal Data" belonging to your customers. As the data controller, you are legally obligated to protect this information, even if it has been compromised.
Your insurer or legal advisor will guide you on the necessary steps to take. Solace Cyber works closely with insurers and legal professionals and can assist in managing this process during this challenging time.
Ransomware attacks pose the greatest risk to your business by:
In cases of business disruption, determining your position in the supply chain and maintaining operations can become difficult. If the disruption continues, ensuring business continuity becomes crucial. Once systems and data are restored, addressing the backlog of work and setting operational procedures for the future is necessary.
Ransomware is second only to receivership in its potential to incapacitate a business.
Under Australian law, organisations experiencing ransomware attacks must report incidents to both the Australian Signals Directorate (ASD) and the Office of the Australian Information Commissioner (OAIC), particularly when personal information is compromised, ensuring regulatory compliance and coordinated national response.
Keep calm and step away from your systems.
Avoid restoring files or altering data in any way, as doing so may complicate recovery efforts.
Reach out to Solace Cyber now on +61 (0) 282 786100 or submit our contact form to have an expert return your call.
We’ll take swift action to minimise downtime and restore stability to your operations.
Solace Cyber helps companies across Australia recover from ransomware attacks and data breaches.
Ransomware Recovery
Ransomware Groups
BEC Recovery
About Us
Blog
News
SOLACE CYBER LTD is registered in England & Wales no. 08830710
Solace Cyber
Zensec Ltd,
60 Martin Place,
Sydney,
NSW 2000
Telephone
Please note that calls may be recorded for security and training purposes.
