Image of obscured secret computer hacker programmer youth wearing hoodie with dark programming computer code background, concept for cyber war hacking technology, encryption coding, Internet crime, software programming, digital data analysis

Blog

It's not just the bad guys that can hack - our team recently uncovered the real IP address of the server hosting Medusa Locker's blog and negotiation site, by exploiting a vulnerability in their blog.Medusa Locker primarily targets healthcare, education, and manufacturing sectors, with hundreds of reported attacks since its emergence in 2019. The group operates a Tor-based leak site to pressure victims, where they publish stolen data from organizations that refuse to pay.🧨 After uncovering a high severity vulnerability in Medusa Locker's ransomware blog - we successfully escalated and obtained the true IP address of their hidden host.<figure id="figure-zqtyjya97nm9he3na9"><img id="zqtyjya97nm9he3na9" src="https://cdn.durable.co/blocks/13Ynvsk7ytP0IEZxB7LWDLnK7gGuviseWhZ8S5TLHUl4NHfF0YtXODvjtQKEjs1h.png" alt="" title="" class="object-cover bg-gray-100 " style="aspect-ratio: 16/9; object-position: 0% 50%;" data-corners="default" data-aspect="16:9" data-caption="Figure 1 - Censys results and real site exposed." data-positionX="0%" data-positionY="50%" data-fullWidth="false"/><figcaption class="body-normal text-gray-500 mt-2">Figure 1 - Censys results and real site exposed.</figcaption></figure>📍 Our analysis reveals that the server is located in Saint Petersburg, Russia, hosted by Selectel, one of the largest Russian providers, known for accepting payments in Bitcoin and Litecoin.⏳ 𝘍𝘰𝘭𝘭𝘰𝘸 𝘰𝘶𝘳 𝘱𝘢𝘨𝘦 𝘵𝘰 𝘴𝘵𝘢𝘺 𝘶𝘱𝘥𝘢𝘵𝘦𝘥 𝘧𝘰𝘳 𝘮𝘰𝘳𝘦 𝘦𝘹𝘱𝘰𝘴𝘦𝘴, 𝘢𝘯𝘥 𝘵𝘰 𝘣𝘦 𝘵𝘩𝘦 𝘧𝘪𝘳𝘴𝘵 𝘵𝘰 𝘬𝘯𝘰𝘸 𝘢𝘣𝘰𝘶𝘵 𝘰𝘶𝘳 𝘶𝘱𝘤𝘰𝘮𝘪𝘯𝘨 𝘢𝘥𝘷𝘢𝘯𝘤𝘦𝘥 𝘥𝘢𝘳𝘬 𝘸𝘦𝘣 𝘪𝘯𝘵𝘦𝘭𝘭𝘪𝘨𝘦𝘯𝘤𝘦 𝘤𝘰𝘶𝘳𝘴𝘦!

Deanonymizing Medusa Ransomware's Onion Site