Researchers have uncovered the true identity of servers hosting one of the most notorious ransomware operations active today.

The Medusa Ransomware Group, which has operated with relative anonymity through Tor hidden services, has had its cover blown through a sophisticated exploitation of vulnerabilities in their own infrastructure.

This exposure represents a rare instance where cybercriminal operations protected by the anonymity of the Tor network have been compromised through technical vulnerabilities rather than operational security mistakes.

Medusa Locker has established itself as a formidable threat in the cybersecurity landscape since its emergence in 2019.

The group has primarily targeted organizations in healthcare, education, and manufacturing sectors, with hundreds of documented attacks over the past six years.

Their typical modus operandi includes operating a Tor-based leak site where they publish sensitive data stolen from victims who refuse to pay ransom demands, creating a double-extortion pressure tactic that has proven effective against many organizations.

Covsec researchers identified a critical vulnerability in Medusa’s ransomware blog platform that allowed them to bypass the protections afforded by the Tor network.

By exploiting this high-severity vulnerability, the security team was able to execute a privilege escalation attack that revealed the actual IP address of the hidden service: 95.143.191.148.

The exposure provides unprecedented insight into the infrastructure supporting Medusa’s operations.

The server is hosted on a network routed via SELECTEL in Russia (AS49505) and runs Ubuntu Linux with OpenSSH 8.9p1. The server exposes three services: SSH on port 22, HTTP on port 80, and an additional HTTP service on port 3000.

Technical Exploitation Details

The exploitation process leveraged a vulnerability in the blog platform used by the Medusa group to showcase their victims.

While specific exploit code cannot be shared for ethical reasons, the process involved a server-side request forgery (SSRF) vulnerability that eventually led to the execution of the following command to verify the actual IP address:-

curl -s https://ifconfig.me

This simple command, when executed on the compromised server, returned the actual external IP address rather than the onion routing address.

The researchers verified this finding using Censys, a search engine that indexes devices connected to the internet.

The exposed server demonstrates poor security configurations that contributed to the successful deanonymization.

Most notably, the standard SSH port remained open with password authentication enabled rather than key-based authentication, and the HTTP service on port 3000 directly exposed the Medusa Locker Group’s victim negotiation portal.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy