The Medusa Ransomware Group Strikes Principle Cleaning Services

Background

The Medusa ransomware group has reportedly compromised Principle Cleaning Services, a provider of corporate and commercial cleaning in London. Founded in 1989, Principle Cleaning Services has been an employee-owned company since 2023. The group has demanded a ransom of $1,000,000 and claims to have exfiltrated 220.58 GB of sensitive data, including invoices, personal documents, and employees’ data. A ransom deadline of 1 May has been set.

Medusa Ransomware Group

Medusa is a Ransomware-as-a-Service (RaaS) that emerged in the summer of 2021 and has become one of the more active RaaS platforms. The group's attack volumes were inconsistent in the first half of 2023 but saw a resurgence in the last half of the year. Medusa employs various tactics to avoid detection, such as restarting infected machines in safe mode, deleting local backups, disabling startup recovery options, and deleting VSS Shadow Copies to prevent encryption rollback.

Recent Activity

In the latter part of 2022, Medusa intensified its attacks and remained active in the first quarter of 2023. However, the group's activity seems to have decreased in the second quarter. Medusa typically demands ransoms in the millions of dollars, with the amount varying based on the target organization's financial capacity.

Modus Operandi

Medusa typically infiltrates victim networks through malicious email attachments (macros), torrent websites, or malicious ad libraries. The group can terminate over 280 Windows services and processes without command line arguments. While there may be a Linux version, it is currently unclear. Medusa targets various industries, with a focus on healthcare, pharmaceutical companies, and public sector organizations. The group also employs a double extortion scheme, exfiltrating data before encrypting it. However, Medusa is not as generous with its affiliate attackers, offering only up to 60% of the ransom if paid.