Derin Analiz - Medusa Ransomware | Tehdit: KRITIK
Файл Kimligi
| SHA256 | 2e62a782c84149953dd216d96fec8e0f4d4b568525bbaa0574b1aad2530d28e0 |
|---|---|
| Размер | 317,440 byte (310 KB) PE32 console x86 |
| Entropi | 6.58 (normal - packed degil) |
| Section | 5 section, TLS found |
| PDB | G:\Medusa\Release\gaze.pdb |
MedusaCrypt C++ Sinifi
KRITIK: .?AVCMedusaCrypt@@ - Medusa ransomware'in C++ sinifi! Kaynak koddan derlenmis!
.?AVCMedusaCrypt@@ <- BCrypt ile dosya sifreleme sinifi\nPDB yolu: G:\Medusa\Release\gaze.pdb\nDerleme: MSVC Release x86 (Debug sembolleri silindi)
Cift Gasp (Double Extortion)
CIFT GASP: Medusa hem dosyalari sifreler hem de verileri calar!
"2. We have ENCRYPTED some your files."\n\n"After paying for the data breach and decryption, we guarantee\n that your data will never be leaked and this is also for\n our reputation."\n\n"And we have extracted all of your networks including sub offices\n and your service clients networks valuable data and copied them\n to private cloud storage."
Sifreleme Архитектураsi
BCryptEncrypt <- simetrik dosya sifreleme\nBCryptCreateHash <- dosya hash dogrulama\nBCryptDestroyKey <- anahtar temizleme\nBCryptCloseAlgorithmProvider\n-----BEGIN PUBLIC KEY----- (gomulu RSA offentlicher Schlussel)\n-----END PUBLIC KEY----- <- RSA ile AES anahtari sifreleme\n\nSifreleme: AES (simetrik) + RSA (anahtar sarma) hibrit mimari\nFidye notunda TOR browser kullanimi gerektirilir.
Yedekleme Servisleri Hedefi
Medusa, fidye odenmeden kurtarmayi engellemek icin:\n MSSQL$VEEAMSQL2008R2 <- Veeam SQL yedekleme servisi\n SQLAgent$VEEAMSQL2008R2 <- Veeam SQL Agent\n wbengine <- Windows Backup Engine\n zoolz.exe / Zoolz 2 Service <- Bulut yedekleme servisi
IOC
| SHA256 | 2e62a782c84149953dd216d96fec8e0f4d4b568525bbaa0574b1aad2530d28e0 |
|---|---|
| C++ Sinif | .?AVCMedusaCrypt@@ (MedusaCrypt) |
| PDB | G:\Medusa\Release\gaze.pdb |
| Sifreleme | BCryptEncrypt (AES) + RSA kamu anahtari |
| Hedef Servisler | Veeam, WBEngine, Zoolz (yedek engellemesi) |
| Gasp | Cift gasp: dosya sifreleme + veri sizma |
MedusaRansomware — Профиль вредоносного ПО
Medusa ransomware BCrypt AES+RSA hibrit sifreleme kullanan cift gaspc. Dosyalari BCryptEncrypt ile sifreler, RSA kamu anahtari ile AES anahtarini korur. Veeam (VEEAMSQL2008R2), Windows Backup Engine (wbengine) ve Zoolz bulut yedekleme servislerini durdurur. Veri sizintisi tehdidi ile cift gasp (double extortion) yapar.
Тип вредоносного ПО
Ransomware
Язык программирования
C++
C2 Протокол
—
Целевые системы
Windows
Другие названия (AKA)
MedusaLocker
Возможности и поведение
Dosya Şifreleme (AES/RSA)
Gölge Kopya Silme
Yedek Kaldırma
Fidye Notu Oluşturma
Kalıcılık Sağlama
Ağ Paylaşımı Şifreleme
Anti-Analiz Teknikleri
Çift Gasp (Data Leak)
Список IOC (1 индикаторов)
IOC — MedusaRansomware
# SHA256
2e62a782c84149953dd216d96fec8e0f4d4b568525bbaa0574b1aad2530d28e0
| Тип | Значение | Примечание |
|---|---|---|
| sha256 | 2e62a782c84149953dd216d96fec8e0f4d4b568525bbaa0574b1aad2530d28e0 |