The Medusa botnet is a malware strain that first appeared in darknet markets in 2015 and later added HTTP-based DDoS capabilities in 2017. The latest version of the Medusa botnet has made its return, now based on the leaked source code of the Mirai botnet, and now includes a ransomware module and Telnet brute-forcer. This new variant of the Medusa DDoS botnet is being offered as malware-as-a-service (MaaS) for DDoS and mining, promising stability, anonymity, and adjustable costs.

What is the Threat?

The new Medusa variant is a dangerous threat, combining the capabilities of the Mirai botnet with a ransomware module and Telnet brute-forcer. The malware targets Linux systems and has extensive options for DDoS attacks, as well as the ability to encrypt files using AES 256-bit encryption.

Why is it Noteworthy?

The addition of a ransomware function to the Medusa botnet makes it a significant threat to organizations. The encryption of files, combined with the ability to launch DDoS attacks, creates a double-whammy that can lead to significant downtime and the loss of valuable data.

What is the Exposure or Risk?

The exposure or risk from the Medusa botnet comes from the ransomware function, which targets all directories for valid file types for encryption. If a device becomes infected with the Medusa variant, it could lead to the encryption of important files, followed by their deletion after 24 hours. The ransomware function also appears to be broken, turning it into a data wiper, which could result in the permanent loss of important data.

What are the Recommendations?

To protect against the Medusa botnet, organizations should implement robust cybersecurity measures, including firewalls, anti-virus software, and intrusion detection systems. Additionally, regularly backing up important data is recommended in case of a ransomware attack. To prevent Telnet attacks, organizations should restrict access to port 23 and use strong authentication protocols.

References

Cyble. (2023, February 7). Medusa botnet returns as a Mirai-based variant with ransomware sting. BleepingComputer. https://www.bleepingcomputer.com/news/security/medusa-botnet-returns-as-a-mirai-based-variant-with-ransomware-sting/