Attack surface risk firm Censys says it came across a Russian server with a collection of red teaming tools used to compromise hosts and maintain control. Further analysis connected the initial server with another Russian server that, as recently as mid-June, contained a malware kit pointing to an online domain used by the MedusaLocker group. The U.S. federal government issued a warning only earlier this month about MedusaLocker ransomware, noting it exploits unsecured remote desktop software and uses phishing campaigns. Cybereason in 2020 found the malware to be prevalent in the healthcare industry. Medical centers are especially likely to pay ransomware given practitioners reluctance to disrupt patient care (see: Hackers Claim Drug Data Theft as Reports Warn Health Sector). Censys says it identified the server with the MeduaLocker malware kit through an iterative process that began with an examination of 7.4 million Russian hosts visible to its internet scans. Two hosts stood out since they contained the Metasploit pen tester and Deimos C2, an open source command and control tool. Further analysis revealed that one of the hosts also had web vulnerability tester Acunetix and had used PoshC2, a red team tool used post-exploitation.
Case Western Reserve University and several partners including AMI are launching a new