Researchers at Censys reported finding servers roped into the MedusaLocker crime network by scanning for tools used by pen testers. (Sislavio/iStock via Getty Images)Censys announced Thursday it mapped several servers that were roped into the MedusaLocker criminal network as either proxies or ransomware victims using an interesting technique: scanning the internet for common red-teaming tools.In late June, the company produced a report looking at the prevalence of the top 1,000 software products exposed on the 7.4 million servers it regularly scans in Russia. Nine servers had the pen testing tool Metasploit which is often used in attacks, and of those, one hosted several other pen testing tools used in attacks, including Acunetix, Posh, and Deimos. Given that only a single server had the collection, Censys believed there was a good chance that it was not the cocktail being administered by a pen testing company. The certificates and Jarm fingerprints from the Russian server, as well as current and historical data from internet scans, Censys was able to map out consistent overlap with indicators of the MedusaLocker campaign around the world."A lot of scanning is looked at as being right of bang, so to speak — it takes place after events occurred. This is kind of the other way around, something we can leverage to be proactive," said Matt Lembright, a researcher with Censys.
Censys researchers believe the data they found, the certificates and fingerprints as well as other indicators of attack, including software used to turn breached computers into proxies to mask attacks as well as pathways to funnel cryptocurrency.While internet scans provide evidence that a computer exists, they provide no means to contact its owner. Censys is working with the FBI to deanonymize potential victims to allow them to remediate. The company spotted U.S. victims in Virginia, Ohio, New Jersey and California, as well as global victims as far as Taiwan, China and the Netherlands."I think we'll be able to discover more campaigns this way," said Lembright. "For these hosts to do what they're doing, they have to be on the internet, they have to be available, they have to be ready for a callback or ready to communicate with their hosts."
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.
More than 91.3 million individuals across the U.S. have been impacted by data breaches during the first quarter of 2025, which is 26% higher than the same period last year, even though breach incidents slightly declined year-over-year, according to Infosecurity Magazine.
Cybernews reports that Caritas Internationalis, the Catholic Church's official charity organization, had at least 17 websites of its Spanish arm compromised as part of a web skimmer campaign that commenced in February 2024.
Kelly Benefits, a Maryland-based benefits administration and payroll solutions provider, has confirmed that almost 264,000 individuals served by its customers Amergis, CareFirst, Beam Benefits, Intercon Truck of Baltimore, Beltway Companies, The Guardian Life Insurance Company of America, Transforming Lives, and Publications Circulation Fulfilment had their data compromised following a cyberattack in December, SecurityWeek reports.
