Medusa ransomware claims it attacked Lojas Marisa

At least since 1pm on November 4th, the Lojas Marisa website has been experiencing problems, according to reports complaint from a consumer on X/Twitter. When responding to the complaint, the store profile informed: “Hey how’s it going? We are experiencing temporary instability in our systems, which may affect some services. Our team is already working to resolve it. We appreciate your understanding and apologize for what happened!” At the time this note was published, the website remained inoperative. The CISO Advisor has not yet located the company’s communications department to request information on the matter.

At the same time, information emerged in groups of security professionals that a company network had been attacked by the group that operates the Medusa ransomware. In one of the groups, an image of the Medusa group ransom notification message is circulating, containing the name of the company. The Medusa group uses two notification models, and it is circulating in the groups the model “!!!READ_ME_MEDUSA!!!_2.txt”.

The Medusa group became known in 2023 after opening a leaks website on the dark web, but it also publishes information via Telegram and X/Twitter. Ransomware attacks orchestrated by the group begin with the exploitation of Internet-facing assets or applications with known unpatched vulnerabilities and the hijacking of legitimate accounts, often employing early access brokers to gain a foothold on target networks.

A notable aspect of the infections is the reliance on living-off-the-land techniques (LotL or using applications already installed on the attacked system) to blend in with legitimate activities and evade detection. Also noted is the use of a pair of kernel drivers to wrap up a hard-coded list of security products.

The initial access phase is followed by discovery and reconnaissance of the compromised network, with the agents finally launching the ransomware to enumerate and encrypt all files except those with the .dll, .exe, .lnk and .medusa extensions (the extension given to encrypted files).

Marisa defines itself as the largest women’s fashion and lingerie chain and one of the largest men’s and children’s clothing chains in Brazil, having been in the market for 70 years.