Medusa ransomware crew brags about spreading Bing, Cortana source code

The Medusa ransomware gang has put online what it claims is a massive leak of internal Microsoft materials, including Bing and Cortana source code.

“This leak is of more interest to programmers, since it contains the source codes of the following Bing products, Bing Maps and Cortana,” the crew wrote on its website, which was screenshotted and shared by Emsisoft threat analyst Brett Callow.

“There are many digital signatures of Microsoft products in the leak. Many of them have not been recalled,” the gang continued. “Go ahead and your software will be the same level of trust as the original Microsoft product.”

Obviously, this could be a dangerous level of trust to give miscreants developing malware. Below is Callow’s summary of the purported dump of source code presumable obtained or stolen somehow from Microsoft.

To be clear: we don’t know if the files are legit. Microsoft didn’t respond to The Register‘s request for comment, and ransomware gangs aren’t always the most trustworthy sources of information.

“At this point, it’s unclear whether the data is what it’s claimed to be,” Emsisoft’s Callow told The Register. “Also unclear is whether there’s any connection between Medusa and Lapsus$ but, with hindsight, certain aspects of their modus operandi does have a somewhat Lapsus$ish feel.”

He’s referring to a March 2022 security breach in which Lapsus$ claimed it broke into Microsoft’s internal DevOps environment and stole, then leaked, about 37GB of information including what the extortionists claimed to be Bing and Cortana’s internal source code, and WebXT compliance engineering projects.

Microsoft later confirmed Lapsus$ had compromised its systems, and tried to downplay the intrusion by insisting “no customer code or data was involved in the observed activities.”

“Microsoft does not rely on the secrecy of code as a security measure and viewing source code does not lead to elevation of risk,” it added, which is a fair point. Software should be and can be made secure whether its source is private or open.

And Lapsus$, of course, is the possibly extinct extortion gang led by teenagers who went on a cybercrime spree last year before the arrest of its alleged ringleaders. Before that, however, it stole data from Nvidia, Samsung, Okta, and others.

It could be that Medusa is spreading around stuff that was already stolen and leaked.

Medusa — not to be confused with MedusaLocker, that’s a separate ransomware operation — made a name for itself earlier this year when it listed Minneapolis Public Schools among its victims. The criminals stole about 100GB of data, and demanded the school district pay a $1 million ransom before ultimately publishing the education system’s sensitive information.

But before dumping the data, the criminals posted a video showing them accessing staff and student files, which seemed to be a first for a ransomware gang pushing an extortion business. 

Medusa was the third most prolific ransomware gang in February following attacks on Minneapolis Public Schools and 17 other organizations that same month, according to the threat hunters at DarkFeed. ®

READ MORE HERE