Typically, when it comes to ransomware, researcher and cybersecurity companies scramble after attacks to understand the origin of the malware that infected systems and locked crucial data.
But researchers with Censys, a firm that indexes devices connected to the internet, said Thursday they’ve flipped the typical script and found what appears to be a ransomware command and control network capable of launching attacks, including one host located in the U.S.
Matt Lembright, Censys’ director of federal applications and author of the report, told CyberScoop that they came across the network after running a search through the company’s data for the top 1,000 software products currently observable on Russian hosts. After seeing Metasploit — penetration testing software frequently used for legitimate purposes — on just nine hosts out of more than 7.4 million, the team did some additional digging.
The team eventually found two Russian-based hosts containing a combination of Acunetix, a web vulnerability tester, and DeimosC2, a command and control tool to use on compromised machines after exploitation.
Further analysis that included historical data tied to those hosts led the researchers to additional hosts and connections to the MedusaLocker ransomware variant, which was the subject of a July 1 alert from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
The company shared the findings in hopes that the wider research and security community would research this network further, said Matt Lembright, Censys’ director of federal applications.
“For folks that live and breathe this every single day, there might be something for them to latch on to here,” Lembright said.
The information has been shared with the FBI, he added, to determine whether it’s connected to any known attacks.
One of the hosts in the network is located in Ohio, according to the data, and was running the DeimosC2 tool as recently as July 6. Other software present on the host indicated it might be serving as a proxy in the network, and a historical review of the host revealed that it hosted malware for a short period in October 2021 later tied to the Karma ransomware strain.
Allan Liska, a threat intelligence analyst with Recorded Future, said Thursday that the data “Censys uncovered appears to indicate an ongoing ransomware campaign, likely tied to MedusaLocker or one of its derivatives.”
MedusaLocker “has been an active, but smaller, ransomware group over the last few years,” he added. “They do not operate an extortion site so it is difficult to pinpoint the true number of victims they have hit.”
Lembright told CyberScoop that the findings don’t definitively spell out exactly what this network is, or what it’s done, but hopefully it can help.
“I can’t say definitively that these hosts haven’t attacked anyone yet, but they’re definitely capable of it,” he said. The idea is to share both the historical and current data associated with the hosts to unpack a potential network and prevent future damage. “This is kind of a chance to go out into the world and do some active hunting.”