In a bizarre development, the dastardly ransomware-as-a-service outfit known as Medusa has decided to contact Joe Tidy directly. As an independent cyber correspondent for the BBC, he now finds himself in front of an offer that raises profound ethical questions. The impact of Medusa Medusa has been operating for the past four years, successfully hacking more than 300 victims to date. It is widely assumed that people of Russia or satellite states are responsible for this hostile cabal.
In fact, a few days ago, Medusa’s emissaries reached out to Tidy through the encrypted messaging service Signal. Instead they presented him a cut rate offer that would pay him handsomely if he aided and abetted their illegal endeavors. The group’s messaging serves as a startling reminder of the real-world tactics cybercriminals will use to recruit insiders to their hacking operations.
That initial push followed Medusa’s issuance of a public notice in early March, drawing attention to their efforts and capacity. Among their victims are some pretty impressive names, including one of the UK’s largest healthcare companies and a midwestern US emergency services provider. Through their own public relations efforts, Medusa has disclosed dozens of victims on their darknet frontpage. They have redacted the names of these companies.
During these discussions with Tidy, Syn, a Medusa delegate, threw down the gauntlet. In return for access to his compromised PC, Tidy agreed to pay 15% of any ransom payment received to He. The conversation took an alarming turn when Syn stated, “If you are interested, we can offer you 15% of any ransom payment if you give us access to your PC.”
Syn’s proposal included a financial incentive with a “trust payment”. To convince Tidy that they were for real, and not just trying to scam him, they promised a 0.5 bitcoin deposit. Behind Medusa is a lot of sophistication. If they’re able to fully penetrate a large company, they might be able to extort ransoms that are tens of millions of dollars.
The exchange between Tidy and Syn demonstrated the group’s violent intimidation tactics. Syn expressed impatience, stating, “When can you do this? I’m not a patient person.” He attempted to entice Tidy with promises of wealth, saying, “I guess you don’t want to live on the beach in the Bahamas?”
Despite the tempting offer, Tidy remained skeptical. He responded with caution, asserting, “You could be kids messing about or someone trying to entrap me.” His reluctance to go on the record illustrates how effective Medusa and other cybercriminals’ tactics have been, even for those in cybersecurity.
Syn attempted to downplay Tidy’s concerns by suggesting that many employees would be willing to provide access to systems, stating, “You’d be surprised at the number of employees who would provide us access.” He further pressed Tidy by questioning the BBC’s compensation policies: “Lets be honest does the BBC actually pay you much at all?”
As the chat continued, Syn stressed that Medusa was not looking for media attention or notoriety. Because they only cared about shaking every last penny out of the business. “We aren’t bluffing or joking – we don’t have a purpose media wise we are only for money and money only,” he stated. The group’s rapacious, no-holds-barred pursuit of profits comes through loud and clear in their tactics and demands.
Though, after months of receiving no meaningful response from Tidy, Syn deleted his Signal account, and Syn disappeared from comms entirely. This disappearance is a reminder of just how ephemeral relationships with cybercriminals can be. It highlights new risks and dangers for anyone looking to join or support these alternative movements.