Medusa is a ransomware-as-a-service operation active since June 2021 that has targeted over 300 victims across critical infrastructure sectors including healthcare, education, legal, and manufacturing using double-extortion, with attacks surging 42% between 2023 and 2024 and a formal CISA advisory issued in early 2025.
Genera un perfil del actor con IA (defensivo) cuando lo pidas.
Tácticas y técnicas observadas del actor, mapeadas a MITRE ATT&CK (clic para ver la ficha oficial). Útil para priorizar detecciones.
Firma de detección defensiva para este grupo (úsala en tu EDR/SIEM). Fuente: ransomware.live.
rule win_medusa_auto {
meta:
author = "Felix Bilstein - yara-signator at cocacoding dot com"
date = "2023-07-11"
version = "1"
description = "Detects win.medusa."
info = "autogenerated rule brought to you by yara-signator"
tool = "yara-signator v0.6.0"
signator_config = "callsandjumps;datarefs;binvalue"
malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa"
malpedia_rule_date = "20230705"
malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
malpedia_version = "20230715"
malpedia_license = "CC BY-SA 4.0"
malpedia_sharing = "TLP:WHITE"
/* DISCLAIMER
* The strings used in this rule have been automatically selected from the
* disassembly of memory dumps and unpacked files, using YARA-Signator.
* The code and documentation is published here:
* https://github.com/fxb-cocacoding/yara-signator
* As Malpedia is used as data source, please note that for a given
* number of families, only single samples are documented.
* This likely impacts the degree of generalization these rules will offer.
* Take the described generation method also into consideration when you
* apply the rules in your use cases and assign them confidence levels.
*/
strings:
$sequence_0 = { ae 085ffb cf 51 46 a8cf f8 }
// n = 7, score = 100
// ae | scasb al, byte ptr es:[edi]
// 085ffb | or byte ptr [edi - 5], bl
// cf | iretd
// 51 | push ecx
// 46 | inc esi
// a8cf | test al, 0xcf
// f8 | clc
$sequence_1 = { 184e0f 6c 6f aa }
// n = 4, score = 100
// 184e0f | sbb byte ptr [esi + 0xf], cl
// 6c | insb byte ptr es:[edi], dx
// 6f | outsd dx, dword ptr [esi]
// aa | stosb byte ptr es:[edi], al
$sequence_2 = { d8b8291ba3f9 a939ef568f 46 005f6e 69c7d0234b91 1c14 2a18 }
// n = 7, score = 100
// d8b8291ba3f9 | fdivr dword ptr [eax - 0x65ce4d7]
// a939ef568f | test eax, 0x8f56ef39
// 46 | inc esi
// 005f6e | add byte ptr [edi + 0x6e], bl
// 69c7d0234b91 | imul eax, edi, 0x914b23d0
// 1c14 | sbb al, 0x14
// 2a18 | sub bl, byte ptr [eax]
$sequence_3 = { 51 ff7100 52 ff7200 53 }
// n = 5, score = 100
// 51 | push ecx
// ff7100 | push dword ptr [ecx]
// 52 | push edx
// ff7200 | push dword ptr [edx]
// 53 | push ebx
$sequence_4 = { 2048b3 a5 45 b051 9f }
// n = 5, score = 100
// 2048b3 | and byte ptr [eax - 0x4d], cl
// a5 | movsd dword ptr es:[edi], dword ptr [esi]
// 45 | inc ebp
// b051 | mov al, 0x51
// 9f | lahf
$sequence_5 = { 57 10872213d4b4 5b 00bb4b0c8cb2 }
// n = 4, score = 100
// 57 | push edi
// 10872213d4b4 | adc byte ptr [edi - 0x4b2becde], al
// 5b | pop ebx
// 00bb4b0c8cb2 | add byte ptr [ebx - 0x4d73f3b5], bh
$sequence_6 = { ab 92 6f 0c48 b5f9 43 }
// n = 6, score = 100
// ab | stosd dword ptr es:[edi], eax
// 92 | xchg eax, edx
// 6f | outsd dx, dword ptr [esi]
// 0c48 | or al, 0x48
// b5f9 | mov ch, 0xf9
// 43 | inc ebx
$sequence_7 = { 5f e1fb 1cc9 3ca5 2c8e }
// n = 5, score = 100
// 5f | pop edi
// e1fb | loope 0xfffffffd
// 1cc9 | sbb al, 0xc9
// 3ca5 | cmp al, 0xa5
// 2c8e | sub al, 0x8e
$sequence_8 = { 670048ff 680049ff69 004aff 6a00 4b ff6b00 4c }
// n = 7, score = 100
// 670048ff | add byte ptr [bx + si - 1], cl
// 680049ff69 | push 0x69ff4900
// 004aff | add byte ptr [edx - 1], cl
// 6a00 | push 0
// 4b | dec ebx
// ff6b00 | ljmp [ebx]
// 4c | dec esp
$sequence_9 = { e60e 6c 7bbc 45 }
// n = 4, score = 100
// e60e | out 0xe, al
// 6c | insb byte ptr es:[edi], dx
// 7bbc | jnp 0xffffffbe
// 45 | inc ebp
$sequence_10 = { ff7300 54 ff740055 ff7500 56 }
// n = 5, score = 100
// ff7300 | push dword ptr [ebx]
// 54 | push esp
// ff740055 | push dword ptr [eax + eax + 0x55]
// ff7500 | push dword ptr [ebp]
// 56 | push esi
$sequence_11 = { 334a54 98 56 39ec 51 7fa1 6d }
// n = 7, score = 100
// 334a54 | xor ecx, dword ptr [edx + 0x54]
// 98 | cwde
// 56 | push esi
// 39ec | cmp esp, ebp
// 51 | push ecx
// 7fa1 | jg 0xffffffa3
// 6d | insd dword ptr es:[edi], dx
$sequence_12 = { b051 9f 4a d7 b9533e507c }
// n = 5, score = 100
// b051 | mov al, 0x51
// 9f | lahf
// 4a | dec edx
// d7 | xlatb
// b9533e507c | mov ecx, 0x7c503e53
$sequence_13 = { b5f5 42 317f52 56 }
// n = 4, score = 100
// b5f5 | mov ch, 0xf5
// 42 | inc edx
// 317f52 | xor dword ptr [edi + 0x52], edi
// 56 | push esi
$sequence_14 = { bfdb4a7adc de6326 9e 45 334a54 98 }
// n = 6, score = 100
// bfdb4a7adc | mov edi, 0xdc7a4adb
// de6326 | fisub word ptr [ebx + 0x26]
// 9e | sahf
// 45 | inc ebp
// 334a54 | xor ecx, dword ptr [edx + 0x54]
// 98 | cwde
$sequence_15 = { 3ca5 2c8e a1???????? d528 32f4 }
// n = 5, score = 100
// 3ca5 | cmp al, 0xa5
// 2c8e | sub al, 0x8e
// a1???????? |
// d528 | aad 0x28
// 32f4 | xor dh, ah
condition:
7 of them and filesize < 1720320
}
$$\ $$\ $$$$$$$$\ $$$$$$$\ $$\ $$\ $$$$$$\ $$$$$$\ $$$\ $$$ |$$ _____|$$ __$$\ $$ | $$ |$$ __$$\ $$ __$$\ $$$$\ $$$$ |$$ | $$ | $$ |$$ | $$ |$$ / \__|$$ / $$ | $$\$$\$$ $$ |$$$$$\ $$ | $$ |$$ | $$ |\$$$$$$\ $$$$$$$$ | $$ \$$$ $$ |$$ __| $$ | $$ |$$ | $$ | \____$$\ $$ __$$ | $$ |\$ /$$ |$$ | $$ | $$ |$$ | $$ |$$\ $$ |$$ | $$ | $$ | \_/ $$ |$$$$$$$$\ $$$$$$$ |\$$$$$$ |\$$$$$$ |$$ | $$ | \__| \__|\________|\_______/ \______/ \______/ \__| \__| -----------------------------[ Hello, [snip] !!! ]-------------------------- WHAT HAPPEND? ------------------------------------------------------------ 1. We have PENETRATE your network and COPIED data. * We have penetrated entire network including backup system and researched all about your data. * And we have extracted all of your networks including sub offices and your service clients networks valuable data and copied them to private cloud storage. 2. We have ENCRYPTED some your files. While you are reading this message, it means you found your files and data has been ENCRYPTED by world's strongest ransomware. We have access to all of your sub offices and client service networks but didn't lock them all for your brand and privacy. We can solve this issue sliently and smoothly without 3rd parties and we decided lock only some of your main network only. But don't worry, we can restore everything to the original without harming your business. There is only one possible way to get back your systems and business - CONTACT us via LIVE CHAT and pay for the special MEDUSA DECRYPTOR and DECRYPTION KEYs, Data deletion, Keep silent in media. This MEDUSA DECRYPTOR will restore your entire network, This will take less than 1 business day. WHAT GUARANTEES? --------------------------------------------------------------- We can post your data to the public and send emails to your customers. We have professional OSINTs and media team for leak data to [redactado] facebook, twitter channels and top news websites. Have a look about us on twitter. You can suffer significant problems due disastrous consequences, leading to loss of valuable intellectual property and other sensitive information, costly incident response efforts, information misuse/abuse, loss of customer trust, brand and reputational damage, legal and regulatory issues. After paying for the data breach and decryption, we guarantee that your data will never be leaked and this is also for our reputation. YOU should be AWARE! --------------------------------------------------------------- If you're not in main chile office, inform your supervisors and stay calm! We will speak only with an authorized person. It can be the CEO, top management, etc. In case you are not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! If you do not contact us within 3 days, We will start publish your case to our official blog and everybody will start notice your incident! If you do not contact us within 5 days, We will start publish your case and leak video on all social channels and send emails to your customers! --------------------[ Official blog tor address ]-------------------- Using TOR Browser([redactado] [redactado] CONTACT US! ----------------------[ Your company live chat address ]--------------------------- Using TOR Browser([redactado] [redactado] Or Use [redactado] Chat Program([redactado] Add user with our [redactado] ID and wait 24h : [redactado] Our support email: ( [redactado] ) Company identification hash: [snip]
USCS offers a diverse range of educational programs including in-person and distance learning undergraduate degrees, technical courses, and postgraduate studies such as MBAs and doctorates. The university also provides non-degree courses aimed at skill enhancement and is equipped with facilities for secondary education. Services include free legal assistance, fiscal education, and health services, catering to both students and the community. With a focus on quality and flexibility, USCS serves a wide array of clients including students at various academic levels and professionals seeking further education. company is headquartered in Rua Santo Antônio, 50 – Centro, São Caetano do Sul, SP, CEP 09521-160. 501-1,000 Employees,
| Organización | País | Sector | Grupo | Descubierta |
|---|---|---|---|---|
| Universidade Municipal de São Caetano | BR | Education | — | 30 nov 2025 |
| WR Comercial | BR | Business Services | — | 30 nov 2025 |
| EcoPetróleo | BR | Energy | — | 14 oct 2025 |
| Florarte | BR | Consumer Services | — | 20 ago 2025 |
| Hospital El Cruce | AR | Healthcare | — | 24 ene 2025 |
| Inmobiliaria Armas | CL | Business Services | — | 11 dic 2024 |
| Marisa S.A | BR | Business Services | — | 8 nov 2024 |
| World Vision Perú | PE | Public Sector | — | 13 oct 2024 |
| Micron Internet | BR | Technology | — | 14 sept 2024 |
| Vivara | BR | Business Services | — | 25 jul 2024 |
| Cedar Technologies | BR | Technology | — | 23 jul 2024 |
| ValeCard | BR | Financial Services | — | 23 jul 2024 |
| AJE | PE | Business Services | — | 23 jun 2024 |
| Bimbo Bakeries | MX | Agriculture and Food Production | — | 18 feb 2024 |
| Digitel Venezuela | VE | Business Services | — | 2 feb 2024 |
| Unimed Blumenau | BR | Healthcare | — | 5 nov 2023 |
| Jockey Club | AR | Hospitality and Tourism | — | 30 oct 2023 |
| Comisión Nacional de Valores | AR | Financial Services | — | 11 jun 2023 |
| Farmacias Los Hidalgos | DO | Healthcare | — | 5 jun 2023 |
| Concremat constructions | BR | Construction | — | 5 jun 2023 |
| Fiduagraria | CO | Agriculture and Food Production | — | 27 may 2023 |
| Amaszonas S.A. | BO | Transportation/Logistics | — | 23 may 2023 |
| Cooperativa de Ahorro y Crédito Ahorrocoop Ltda | CL | Financial Services | — | 10 may 2023 |
| Sonda (Duplicate with update) | CL | Technology | — | 5 may 2023 |
| Sonda | CL | Technology | — | 3 abr 2023 |
| Law Firm Vazquez Nava Consultores y Abogados, S.C | MX | Business Services | — | 18 mar 2023 |
| Garbarino SAICeI | AR | Consumer Services | — | 9 mar 2023 |
Las direcciones de los sitios de filtración (.onion) se conocen pero no se publican ni se enlazan. Solo se muestran metadatos públicos. ética
WR Comercial helps businesses find great staff for important jobs like cleaning, security, and front desk work. They connect companies with skilled workers who can handle all kinds of tasks, making it easy for businesses to get the help they need quickly and reliably. Whether you run a small office or a big building, WR Comercial has people ready to support your team. company is headquartered in Rua Giancarlo Palanti 22B, Vila Ré, São Paulo, CEP 03661-050, Brazil. 11-50 Employees
EcoPetróleo is dedicated to providing petroleum products while actively engaging in environmental conservation initiatives in the Dominican Republic. The company emphasizes its commitment to corporate social responsibility through projects such as turtle nesting, beach clean-ups, and recycling programs. Their intended clients include individuals and organizations that value sustainable practices and eco-friendly services. With a focus on community and environmental welfare, EcoPetróleo strives to enhance the quality of life for all. company is headquartered in Avenida Rómulo Betancourt No. 527, El Renacimiento, Santo Domingo, Distrito Nacional, República Dominicana. 379 Employees
Florarte is a Brazilian company specializing in the import and distribution of artificial plants and decorative products. Since 1992, it has been setting trends with exclusive collections for home décor, household items, linens, and seasonal celebrations. With over 30 years in the market, a nationwide presence, a catalog of 14,000+ products, and a robust logistics operation, Florarte's purpose is to delight customers with innovative, stylish, and personality-driven designs, supported by a strong commitment to trust, teamwork, and continuous improvement. company is headquartered in R. Riachão, 807 – 3A, 4A, 5A, 12A, 14A, Muribeca Recife, PE – Brasil, CEP 54.355-057 The total amount of data leakage is 184.8 GB
Hospital El Cruce has 130 beds and offers a wide range of medical services, such as advanced diagnostic tests and highly specialized surgical procedures. Hospital El Cruce corporate office is located in 5401 Av. Calchaqui, Florencio Varela, Buenos Aires, 1888, Argentina and has 116 employees. The total amount of data leakage is 761.60 GB
Inmobiliaria Armas is a company that operates in the Real Estate industry. Inmobiliaria Armas corporate office is located in 1200 Avenida Manquehue Sur, Las Condes, Santiago Metropolitan, Chile and has 398 employees.