MEDUSA RANSOMWARE EXPOSED BY RANSOMEDVC

NOTE: This is a short initial report after analyzing the leaked data from RansomedVC group about Medusa Ransomware

RansomedVC is back in 2025 for “N”th time, spotted on 8th July 2025 reported via my tweet here by listing 2 victims from the US and Brazil.

INTRODUCTION

To attract more eyeballs, the group dropped a new post on their official DLS clearweb exposing the internal chats of Medusa Ransomware Group.

The leak consists of Chat Transcript between group members from December 11 2022 to March 2023.

After analyzing the chat transcripts, hereby jotting down some of the juicy information, so that you don’t need to re-visit:-

• Maintains an account MediaTeam for Social Media promotions including YouTube and Telegram
• Requests for Dump Hashes after gaining access
• The cloud storage services put.io (10TB Plan) and Mega (Pro 2) are prime interests of the group
• Software Versions of Victims are observed from the official Company Records such as KB, articles, etc
• Uses GMER.net for Rootkits
• Targeted Green Cloud, StoreOnce
• Uses Volatility for LSADump
• Mention about ProxyNotShell RCE, OWA (Outlook Web App)
• Used CVE-2022–26134 Exploit (Confluence ONGL Injection)

Here is the list of affiliates associated with Medusa Ransomware Group

• boss
• mat
• ray
• sda
• cz75
• atari
• tranc
• lumma
• Jester
• amilan
• nopiro
• OSINT1
• OSINT2
• drumrlu
• gabriel
• van_nms
• valencia
• datastore
• Media Team (OSINT Corp)

🔍THREAT INTEL

1. There are 2 channels spotted in the leak: RedTeamWorkers_Technical_Discussion and DE_access in their leak.

2. drumrlu: The Group Member/affiliate “drumrlu” is a popular Initial Access Broker (IAB) on underground forums and was spotted in the Medusa Leak, which of course underlines the fact that he is responsible for providing potentially vulnerable victims to Medusa Group. He also supplied Initial Access to Thanos Ransomware Group back in 2020. 

3. In a case, I have spotted that drumrlu complaining about Forti Firewall Access. As Forti Firewall was blocking all the traffic, drumrlu managed to install Anydesk using Bridge via TOR and set up the socks on Anydesk. This session lasted for an hour. 

Here is the transcript for the same:-

4. The group member “Ray” asked to share the script with drumrlu; but he denied as it would burn the methods, however, supported him. He makes a mistake while quoting “Symantic” instead of Symantec.

5. Another affiliate “Jester” might be Russian (or Russian Speaking) as he continues to communicate in Russian in the group. 

6. Group Member “Atari” enquired about Windows Defender Evasion and other areas as well

7. Group Member “nopiro” had used CVE-2022–26134 Exploit (Confluence ONGL Injection) for Medusa Ransomware Operations. 

8. Group Member “datastore“ is suspected to be an ex-member of Makop Ransomware Group

9. Modus Operandi of “boss”: Mass email to all Company Employees and Journalists to reach the news of the Ransomware Attack to a wider audience. He is believed to be the head of the group.

10. The members also watch tutorial videos on bypassing/disabling Windows security from Youtube.

11. The USA 🇺🇸 is the prime target of the group which is evident from the leaked chat.

12. The mentioned security tools were Symantec, Sophos, Trend Micro, Veeam

The prepared files are spotted to be created on 8th July 2025; the same day when the group launched their DLS (Data Leak Site).

Hence, the group was checking their progress and wanted to leak the files after listing 2 victims initially to test their media coverage. 

SCRIPT ANALYSIS

During the Chat Analysis, I came across a script shared by the group member “Ray” to weaponize Windows Safeboot

ss create CheckSafeMode binpath="C:\UsersPublicCheckSafeMode.exe" type=own start=auto DisplayName="CheckSafeMode"
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalCheckSafeMode"
reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimalCheckSafeMode" /f /v
"Service"
bcdedit /set{current} safeboot Minimal
shutdown /r /f /t 00

Let’s break it internally and analyze it:-

🛠 Step-by-Step Breakdown

1. sc create CheckSafeMode

• Creates a new Windows service named CheckSafeMode
• start=auto → Service will auto-start
• type=own → Runs in its own process
• DisplayName=”CheckSafeMode” → Visible name for the service

2. reg add to SafeBoot registry

Registers this service under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CheckSafeMode

This means: if Windows boots into Safe Mode, this service will still be launched — normally Safe Mode disables most services.

3. bcdedit /set {current} safeboot Minimal

• Configures the system boot to Safe Mode (Minimal) for next restart
• {current} refers to the currently active boot entry

4. shutdown /r /f /t 00

• Immediately restarts the system (/r)
• Forces running apps to close (/f)
• No delay (/t 00)

Why might this fail to Work or “Lose Victim Access”?

🔒 Safe Mode blocks network services: Unless explicitly enabled, key remote-access tools (Cobalt Strike, RDP, RATs) won’t run
🚫 Missing reg value specification (/v Service): It’s incomplete-no /t (type) or /d (data) provided
❌ If the service binary is deleted or flagged by AV, the service registration becomes a stub

What it was trying to do?

It’s likely the attacker wanted to reboot into Safe Mode where defenses like AVs might be disabled, but still maintain persistence via a custom service. However, due to poor syntax and unsafe assumptions, they essentially locked themselves out.

The Group was trying to disable protections but forgot the golden rule: Safe Mode ≠ free pass unless they transport their networking stack and payload properly.

KEY TAKEAWAYS

RansomedVC clearly mentioned in the blog post thanking “Insiders” of Medusa Ransomware Group. However, as the chat transcript is from December 11 2022 to March 2023, this can also indicate that a member (ex) from RansomedVC was working with Medusa and stayed for 4 months. 

As Medusa group is still active, the older chat leak is a PR work of RansomedVC to gain more popularity to their newly launched revamped project in the Ransomware Ecosystem.

From the transcript and analyzing previous events, the group is mainly focused on targeting Fortinet Access as an SQLi Vulnerability was exploited by the group in 2024 and the current leaked chat that mentions “Forti” also underlines its importance which dates back to 2023. 

The suspected head of the group “boss” is eager to break the news of infiltration to a wider audience.

Any traffic that lasts for 1 hour or lesser should be observed closely.

The competition among Ransomware Groups are growing at different verticals: Affiliate Partnership, Maximum Victimization, Customized Support in Negotiation, Relaunch-Rebrand, Reputation Tampering etc.

If you want to read my initial report on Medusa Ransomware Group, you may find it here  😉 

If you want to download the leaked chat of Medusa, here I have hosted it.

Follow me on Twitter for interesting DarkWeb/InfoSec Short findings! 😉

NOTE:- The article is purely Individual Research and is only associated with THE RAVEN FILE and is not subjected to be used/published anywhere without the Author’s consent.