Role of Leak Sites in Ransomware Operations

In this episode of the Microsoft Threat Intelligence Podcast, host⁠ ⁠⁠Sherrod DeGrippo is joined by Tori Murphy, Anna Seitz, and Chuong Dong to break down two threats: the modular backdoor PipeMagic and Medusa ransomware. They discuss how PipeMagic disguises itself as a ChatGPT desktop app to deliver malware, its sophisticated modular design, and what defenders can do to detect it.  

The team also explores Medusa’s evolution into a ransomware-as-a-service model, its use of double extortion tactics, and the broader threat landscape shaped by ransomware groups, social engineering, and the abuse of legitimate tools.  

In this episode you’ll learn:      

• Why modular malware is harder to detect and defend against 

• How attackers abuse vulnerable drivers to disable security tools 

• Why leak sites play a central role in ransomware operations 

Some questions we ask:     

• How did Microsoft researchers uncover PipeMagic in the wild? 

• Why do ransomware groups often borrow names and themes from mythology? 

• What initial access techniques are commonly associated with Medusa attacks? 

Resources:  

View Anna Seitz on LinkedIn 

View Chuong Dong on LinkedIn   

View Sherrod DeGrippo on LinkedIn  

Related Microsoft Podcasts:                   

• Afternoon Cyber Tea with Ann Johnson 

• The BlueHat Podcast 

• Uncovering Hidden Risks     

Discover and follow other Microsoft podcasts at microsoft.com/podcasts  

Get the latest threat intelligence insights and guidance at Microsoft Security Insider 

The Microsoft Threat Intelligence Podcast is produced by Microsoft and distributed as part of N2K media network.