Trapped in Medusa’s gaze: Ransomware gang attacks Hamilton-area businesses

Then, on March 3, the full scope of the damage was laid bare in a hidden layer of the internet frequented by the cybercriminal community. The first ransom demand — aimed at Prompt Financial Solutions, an investment firm in Burlington — was published at 3:03 p.m.

Two Hamilton law firms were next — the Centennial Law Group at 3:15 p.m. and the Chris Argiropoulos Professional Corporation at 3:20 p.m.

In a corner of the dark web, far away from any Google search, information normally kept under lock and key was in the hands of tech-savvy thieves.

Invoices. Payrolls. Business letters. Client names and phone numbers. Photos of driver’s licences, credit cards, social insurance numbers, passports and Nexus passes.

All held for ransom and available to anyone who knows how to navigate the dark web and has a big enough bank account.

They were not the only victims that day. A small municipal recreation centre in Colorado had its network invaded at the same time, as did a university in Sweden. Other businesses and institutions from Southeast Asia to Alberta were hit before March 3, and several others have been attacked since.

You might be interested in

Niagara Falls News Headlines | The Review

• Dec 31, 1969
• Comments

Niagara Falls News Headlines | The Review

• Dec 31, 1969
• Comments

Behind each cyberattack and attempted extortion is a single organization that named itself after a mythical monster whose gaze can turn anyone to stone.

Medusa.

It is one of the most prolific ransomware gangs on the planet. With nearly 200 reported victims since 2022, the group has caught the attention of cybersecurity experts and law enforcement alike. No one knows who is behind the gang with the snake-headed logo, nor exactly where they are based. They boast that they operate “without borders” and, so far, they have made good on that claim.

A Hamilton Spectator investigation has found that in the last month, eight southern Ontario businesses, half of them in the Hamilton area, have been caught in the glare of Medusa. 

The Spectator examined the stolen data published to the dark web to confirm it is linked to the businesses Medusa says it hacked. In several cases, these businesses confirmed they were the victims of a Medusa attack, and Hamilton police say they have received two reports of local Medusa cyberattacks.

The gang puts the stolen data up for ransom for hundreds of thousands of dollars. It’s also for sale to anyone who can pay the asking price. If victims do not pay up by a deadline, the data is published online for free, feeding a criminal ecosystem that uses stolen identities as a pathway to profit, putting the personal and financial well-being of the average Canadian at risk. 

In each of the known Hamilton cases, Medusa made good on its threat to publish, suggesting the businesses did not pay the ransoms. The information stolen from them, including information about employees and clients, is now up for grabs for free.

Cybercrimes — from phishing emails to ransomware hacks — are becoming an increasingly common global threat fueled by a billion-dollar international shadow industry of criminals. No institution is immune, including governments like the City of Hamilton, which was hit by a ransomware strike on Feb. 25 that crippled its network. It is not clear if Medusa is responsible for that attack. City officials, who say they will not pay a ransom to have their network restored, would not say if Medusa was behind the hack, which the municipality is still recovering from.

As it is with rival gangs like Hive and LockBit, Medusa is well resourced and bold. While they operate on the dark web (a realm of the internet that allows users to act anonymously), they advertise their exploits on the regular internet and on common social-media platforms.

Their attacks are increasing and cybersecurity experts say if a company or public agency hasn’t been a target, they will be sooner or later.

“If I had to give one basic piece of advice for small and medium-sized businesses it is: Prepare to be successfully attacked,” said Charles Finlay, executive director of Rogers Cybersecure Catalyst.

A 2023 report by the federal government’s Canadian Centre for Cybersecurity said that “ransomware is almost certainly the most disruptive form of cybercrime facing Canada,” and that “organized cybercrime will very likely pose a threat to Canada’s national security and economic prosperity over the next two years.”

And Medusa is among the most serious of those threats, said Chris Lynam, the director general of the RCMP’s National Cybercrime Co-ordination Centre.

“I couldn’t rank them, but they are a significant threat to Canada and to others,” he said. 

Hackers hiding the shadows (sort of)

When the RCMP called Jeff Metzger to tell him an international hacker group had wormed its way into his veterinarian clinic’s network, he was shocked.

In many cases, Medusa’s hacks result in a target’s computer system being locked out and they send a ransom demand. But not this time.

“There was no sign anything was wrong,” said Metzger, whose family runs Metzger Veterinary Services in Linwood, about an hour northwest of Hamilton. “There was no disruption in our services at all. We had no idea anything had happened. Medusa did not contact us.”

Clinic staff went about their usual business of treating livestock on March 15, unaware Medusa posted their $120,000 ransom demand to their blog on the dark web.

“From what we have been told, most of the information they took is old. Several years old, so I don’t understand entirely what they have captured here,” Metzger said.

However, the hack resulted in the capture of images of his family’s personal information, including driver’s licences, alongside old invoices and human resources reports. The clinic did not pay the ransom and Medusa has published all that information.

“Of course, that is really concerning to us,” said Metzger, who is awaiting a full report from the RCMP and Waterloo Regional Police about the hack.

Finlay said Medusa is a technically sophisticated operation that will grab any vulnerable and valuable data, old or new. That it has the ability to hit several businesses in short order bespeaks the technical savvy of its operators and the powerful software it employs.

While not well known to the general public, Medusa came to the attention of the cybersecurity community in 2021. A 2023 report by the Palo Alto Networks cybersecurity firm described Medusa as “a significant threat to organizations, demanding a more proactive and strong defensive strategy.”

“Medusa’s indiscriminate targeting emphasizes the universal threat posed by such ransomware actors,” said the report.

While the identities of the people who run Medusa are not known, the Palo Alto report that examined the code used by the gang provided a clue to the group’s origins: it was written in Russian.

When a network is attacked, Medusa can lock it down and sometimes sends the victim a ransom note that provides instruction on how to access its dark web blog, where payments can be made.

“Your files have encrypted with new military-grade encryption algorithm and you can not decrypt your files,” reads one such note, replete with grammatical errors, published by Palo Alto in its report. “There is only one possible way to get back your computers and services, keep your privacy safe — CONTACT us via LIVE CHAT and pay for the special MEDUSA DECRYPTOR and DECRYPTION KEYs.”

Once on the dark web blog, branded with the gang’s gorgon silhouette logo, a victim will find an entry about them complete with the ransom demand and a countdown clock. Victims can pay a fee of $10,000 to extend the deadline for a day or pay the ransom. There is also an option for anyone willing to pay the ransom to download the stolen data.

Beyond the dark web, Medusa advertises available data sets on a Twitter, now called X, and Telegram pages, which anyone can access. It also has its own public-facing website, which masquerades as a cybersecurity and cryptocurrency site.

Medusa’s theatricality — the Bond-villain like logo, the website and social-media posts — is all part of the intimidating mystique they want to create.

“The dark web is not familiar to many people, but at the same time, it is not that hard to find,” said Finlay. “It’s an expression of how they believe they are essentially immune and that you, the victim, don’t really have any other choice. Nobody’s going to come save you from us.”

Lynam, of the Canadian Centre for Cybersecurity, said the motives of criminals like the ones behind Medusa are often unclear beyond the urge for profit. Unlike other criminal archetypes, the profile of the ransomware hacker is still cloudy.

“There’s not actually a huge amount sort of known about the psychology of cybercriminals,” he said. “We are trying to better understand what makes them tick so that we can find them and we can help our police partners make the big cases and investigations to bring them to justice. A lot are financially motivated but we’ve seen where that’s not just the case. They may enjoy being able to to reach out and victimize someone and prove that they’re smarter than you.”

Medusa is not alone in brazenly trafficking stolen data on the regular internet and it isn’t hard to illicit digital market places, said Brett Callow, a threat analyst with Ensisoft, which produces software to prevent cyberattacks.

“Anyone who can Google, can find them, with a bit of work.”

Each time a business doesn’t pay a ransom and its data is published, a Medusa-affiliated website posts the data, often with an overview of what has been stolen and snide comments about the victim.

“The data leak contains a lot of personal data of employees, including contact numbers, financial documents, a complete customer base with data from corporations and individuals, payment invoices and documentation, all company contracts since 2011,” reads a post announcing Medusa had published the data from the Chris Argiropoulos Professional Corporation law firm on George Street. “Personally, I would not use the services of lawyers who are not able to ensure the confidentiality of not only my personal data, but also the data of my company. I am sure that this data leak will find its consumer.”

On Telegram, these posts are often signed “Robert.”

The Chris Argiropoulos Professional Corporation did not respond to multiple interview requests from The Spectator for this story.

Stolen privacy for sale (or offered for free)

Medusa has attacked a spectrum of businesses, from law enforcement agencies to local bakeries. Nothing appears to be out of bounds for the gang, something Hamilton grocer Denninger’s learned first hand.

A ransom demand for the company’s data was posted to the Medusa dark web blog on March 8, including stolen invoices, manifests and order forms.

“Denninger’s is continuing to investigate this incident and we are advancing our recovery plan in collaboration with a team of cybersecurity experts,” CEO Patrick Denninger said in an email to The Spectator. “We’ve worked diligently to minimize the impact of this incident on our customers and staff and we greatly appreciate the patience and understanding of both during this time.”

The attack targeted the business’ systems, but also a “portion” of its data, Denninger wrote.

“We are currently working with our experts to determine the nature and extent of the impact to our data.”

The company does not collect personal or payment information from customers,” said the email, but “we cannot comment on the specifics of the data involved in the incident until we have completed our review.”

Other institutions suffered an even more problematic theft of data, compromising personal or sensitive information that would not normally be publicly accessible.

“In some cases, the data these groups can get would not necessarily be of significant value,” said Finlay, speaking of invoices or order forms. “But in others, like law firms, because of the work they do, there will be far more valuable information.”

For instance, in the case of a March 21 hack of the municipality of Henry County, Illinois, Medusa accessed details of county sheriff investigations, along with photos and data on victims of crime and suspects. County officials did not respond to an interview request from The Spectator.

Hamilton law firms — Centennial Law Group LLP and the Chris Argiropoulos firm — suffered a similar theft of data on March 3, with Medusa accessing legal letters, along with photos of driver’s licences, passports, Nexus cards, SIN cards and other data.

Philip Kuca, partner at Centennial Law Group LLP, told The Spectator the downtown Hamilton firm’s IT consultant recently flagged an attack, but he said operations weren’t interrupted.

Kuca said the breach focused on an “old computer” that wasn’t connected to the firm’s “larger network of sensitive data.”

There was “no sensitive data” on that computer, he said. “So I just unplugged the machine and carried on.”

However, a Spectator investigation found in the data Medusa published about Centennial includes personal information about several people, including photos of their driver’s licences and passports. The data also includes the photo of a cheque for hundreds of thousand of dollars with the firm’s banking information printed on it, and a letter detailing the January 2024 sale of a property by the firm.

Kuca said he didn’t inquire about what sort of ransom the attackers demanded but has relied on the expertise of his IT consultant, NetAccess, which reported the incident to police.

In a followup email, he wrote that such “cyber threats are not to be taken lightly, regardless of how small the impact,” likening efforts to keep up with them to “almost like a game of cat and mouse.”

Kuca said the firm is beefing up its cybersecurity and that “there is really no way to know what information” was taken.

However, Medusa has published the stolen information on its dark web blog and on Telegram.

Feeding the criminal ecosystem

Medusa and groups like it are part of an international, billion-dollar industry that farms out ransomware attacks as a service, said Finlay.

They have research and development teams that create hacking and ransomware tools that can be used by clients who have a minimal skillset. They have help desks to assist clients and victims alike. Some even post help-wanted ads on the dark web to find new partners and affiliates.

These enterprises make big money, and cost Canadians billions.

According to a 2021 Statistics Canada report, Canadian businesses collectively spend more than $10 billion annually on cybersecurity. Those who were attacked tend to spend more on security, in addition to the cost of fixing impacted systems and the lost revenue that comes with shutdowns.

It is not clear how many businesses pay ransoms to have their data returned or systems unlocked. Medusa, for instance, will publish the data of those who don’t pay up and remove the data of those that do. During The Spectator investigation, the data sets of at least two victims — both attached to American municipalities — were removed from Medusa’s dark web blog, suggesting they paid a ransom.

Det. Sgt. Kenneth Kirkpatrick, a cybercrime investigator with the Hamilton Police Service, says victims should not pay these ransoms because it feeds the hacker’s wallet and could encourage more attacks in the future.

However, Finlay says the situation is more complex than that. Groups like Medusa will publish stolen data if they don’t get their ransoms. It is an act of spite that provides fodder for other criminal enterprises, particularly identity theft rings.

Kirkpatrick said the risk to victims whose identity is exposed increases the more data hackers get their hands on.

“It’s often not that one piece of information that is going to be that tipping point. It’s a layering of multiple forms of information about the person.”

The risk is not benign. With that kind of data, a criminal can impersonate someone or even access their financial records, including bank accounts and tax refunds.

There were more than 41,000 Canadians defrauded by identity theft in 2023, according to the federal government’s Canadian Anti-Fraud Centre, costing citizens $554 million. That figure is up from $531 million the year before.

While the stakes can be high, ransomware attacks and other cybercrimes are under-reported to police, partly due to an associated stigma that can prevent victims from coming forward, Kirkpatrick says.

That shouldn’t be the sentiment, he suggests, noting the smallest oversight could open victims up to breaches.

“I really do try to drive home the fact that this is not their fault to a degree. It’s a result of just being connected online, and that’s why these ransomware gangs thrive; because there’s just so many nexuses for them to gain access to a network, that it’s always evolving.”

Beyond the long arm of the law (until they aren’t) 

That Medusa operators preferred language is Russian is significant because it points to a possible place of origin for the gang that effectively puts it beyond the reach of Canadian law enforcement. Police will hunt for domestic connections, but largely rely on partnerships with international law enforcement agencies to find hackers. 

Hacker groups operating out of nations like Russia or Iran cannot be arrested by Western police or intelligence agencies. So sometimes, the only alternative is to fight fire with fire. 

“There have been effective, multi-agency, operations that have negatively impacted important ransomware gangs. It is possible to hack back,” said Finlay, noting there have been successful digital assaults on hacker dens, disabling their networks. 

When the hackers are operating in Canada, arrests can be made. In February, for instance, Russian hacker and Bradford, Ont., resident Mikhail Vasiliev pleaded guilty to cyber extortion and is now awaiting extradition to the United States.

Vasiliev is accused of being a member of the LockBit hacker group, an organization similar to Medusa, and described by the FBI as being “one of the most active and destructive ransomware variants in the world.”

Lynam said the LockBit investigation, a joint forces effort called Operation Cronos, also attacked the organization’s digital infrastructure. Other investigations saw the FBI and RCMP alert potential victims of imminent or ongoing cyberattacks, allowing those attacks to be disrupted or prevented. 

Investigations are difficult and involve co-ordination with international partners — with some going after digital assets while others follow and seize money — but they show police are not helpless.

“It sends a message that collectively we’re going after these cybercriminals,” Lynam said. “We think that’s a pretty good message being sent to maybe that individual in Russia who might think twice now that you have got 10 countries coming after you, not just one.”

Still, arrests remain rare enough that they don’t deter cybercriminals, said Callow. 

“But it’s still a fairly safe form of cybercrime. The success-of-prosecution rate is still quite low,” he said.

Moreover, even if the authorities are able to identify the culprit, “there is a chance they could be in a country from which they can’t be extradited.”

And while many targets don’t play ball by caving to ransom demands, Callow said, enough do to make the potential risk of arrest worthwhile.

“The (return-on-investment) is so high on attacks when they do, that the attackers don’t need many to pay for it to be a very worthwhile; (It’s a) very profitable business to be in.” 

Grant LaFleche is an award-winning investigative journalist with the Hamilton Spectator. Reach him at glafleche@torstar.ca.