In September 2023, Gulf American Lines, a New Jersey-based freight forwarding, warehousing, and logistics provider, suffered a Medusa Locker ransomware attack. The threat actors exploited an external web server, deployed web shells for persistent access, and leveraged PowerShell to disable antivirus protections. Using tools like Mimikatz and Nishang, they performed credential dumping and discovery, establishing a reverse tunnel for command and control (C2). The attack resulted in data exfiltration, with stolen files later published on Medusa’s leak site. Critical company data was encrypted and marked with the .MEDUSA extension. The attackers demanded a $100,000 ransom, severely disrupting operations. The incident was reported by RedPacket Security, which clarified its independence from ransomware groups. The breach exposed sensitive corporate and possibly customer data, posing significant financial, operational, and reputational risks. The use of ransomware, combined with data theft and encryption, indicates a high-impact cyber intrusion with potential long-term consequences for the company’s trust and business continuity.
Source: https://research.nccgroup.com/2023/11/13/dont-throw-a-hissy-fit-defend-against-medusa/
TPRM report: https://www.rankiteo.com/company/gulf-american-line
"id": "gul223092125",
"linkid": "gulf-american-line",
"type": "Ransomware",
"date": "9/2023",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'freight forwarding, warehousing, and '
'logistics',
'location': 'Berkeley Heights, New Jersey, USA',
'name': 'Gulf American Lines',
'type': 'private company'}],
'attack_vector': ['exploitation of external web server',
'web shells',
'PowerShell-based malicious activities',
'disabling antivirus services',
'discovery techniques',
'credential dumping (Mimikatz, Nishang)',
'reverse tunnel for C2'],
'data_breach': {'data_encryption': True, 'data_exfiltration': True},
'date_detected': '2023-09',
'description': 'In September 2023, Gulf American Lines, a leading freight '
'forwarding, warehousing, and logistics provider headquartered '
'in Berkeley Heights, New Jersey, fell victim to a Medusa '
'Locker ransomware attack. The attackers exploited an external '
'web server, used web shells for access, and employed '
'PowerShell for malicious activities, including disabling '
'antivirus services. They utilized discovery and credential '
'dumping techniques such as Mimikatz and Nishang, and '
'established a reverse tunnel for command and control. Data '
'was exfiltrated and later published on the Medusa leak site, '
'with files encrypted and appended with .MEDUSA. The ransom '
'demand was $100,000.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'operational_impact': True,
'systems_affected': True},
'initial_access_broker': {'backdoors_established': ['web shells',
'reverse tunnel'],
'data_sold_on_dark_web': True,
'entry_point': 'external web server'},
'motivation': 'financial gain',
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': '$100,000',
'ransomware_strain': 'Medusa Locker'},
'references': [{'source': 'RedPacket Security'}],
'response': {'third_party_assistance': ['RedPacket Security (reporting '
'only)']},
'threat_actor': 'Medusa Locker ransomware group',
'title': 'Gulf American Lines Ransomware Attack by Medusa Locker',
'type': 'ransomware'}