"Scanning for Red-Team Tools Reveals Likely Campaign Tied to Medusalocker Ransomware"
Censys has announced that it mapped several servers involved in the MedusaLocker criminal network as proxies or ransomware victims by scanning the Internet for common red-teaming tools. In late June, the company published a report on the prevalence of the top 1,000 software products found on the 7.4 million servers it scans on a regular basis in Russia. Nine servers hosted the penetration testing tool Metasploit, which is frequently used in attacks. One of those servers hosted several other penetration testing tools, including Acunetix, Posh, and Deimos. Given that the collection was only on a single server, Censys suspected that a penetration testing company did not administer it. Censys was able to map out consistent overlaps with indicators of the MedusaLocker campaign worldwide using the certificates and Jarm fingerprints from the Russian server, as well as current and historical data from Internet scans. This article continues to discuss the Censys researchers' discovery of servers roped into the MedusaLocker crime network by scanning for tools used by penetration testers.