Ransomware, Vulnerability Management, Network Security, Threat Management

Scanning for red-team tools reveals likely campaign tied to MedusaLocker ransomware

Fountain of Medusa in Nemi
Researchers at Censys reported finding servers roped into the MedusaLocker crime network by scanning for tools used by pen testers. (Sislavio/iStock via Getty Images)

Censys announced Thursday it mapped several servers that were roped into the MedusaLocker criminal network as either proxies or ransomware victims using an interesting technique: scanning the internet for common red-teaming tools.

In late June, the company produced a report looking at the prevalence of the top 1,000 software products exposed on the 7.4 million servers it regularly scans in Russia. Nine servers had the pen testing tool Metasploit which is often used in attacks, and of those, one hosted several other pen testing tools used in attacks, including Acunetix, Posh, and Deimos. Given that only a single server had the collection, Censys believed there was a good chance that it was not the cocktail being administered by a pen testing company. The certificates and Jarm fingerprints from the Russian server, as well as current and historical data from internet scans, Censys was able to map out consistent overlap with indicators of the MedusaLocker campaign around the world.

"A lot of scanning is looked at as being right of bang, so to speak — it takes place after events occurred. This is kind of the other way around, something we can leverage to be proactive," said Matt Lembright, a researcher with Censys.

Censys researchers believe the data they found, the certificates and fingerprints as well as other indicators of attack, including software used to turn breached computers into proxies to mask attacks as well as pathways to funnel cryptocurrency.

While internet scans provide evidence that a computer exists, they provide no means to contact its owner. Censys is working with the FBI to deanonymize potential victims to allow them to remediate. The company spotted U.S. victims in Virginia, Ohio, New Jersey and California, as well as global victims as far as Taiwan, China and the Netherlands.

"I think we'll be able to discover more campaigns this way," said Lembright. "For these hosts to do what they're doing, they have to be on the internet, they have to be available, they have to be ready for a callback or ready to communicate with their hosts."

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.