Medusa ransomware gaining traction

BleepingComputer reports that the Medusa ransomware operation has been ramping up activity this year after a slow start in June 2021, with its claimed attack against Minneapolis Public Schools helping it gain media attention. Despite similarities in name, the Medusa and MedusaLocker ransomware groups are different entities that both use a Tor website for ransom negotiations but have distinct ransom notes, encryption methods, and file extensions for encrypted files. Medusa's Windows encryptor was discovered to accept command-line options enabling the file encryption process. More than 280 Windows services and processes are being terminated by the Medusa ransomware in a run without command line arguments, with the ransomware also having the ability to erase Windows Shadow Volume Copies to hinder file recovery. Medusa ransomware also executes a specific command to erase backup program-related locally stored files, as well as virtual machines' virtual disk hard drives in an effort to curb file restoration.