The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) have recently released a Cyber Security Advisory AA22-1812A to provide updated information on MedusaLocker ransomware.
This advisory is part of the Government’s efforts to document ransomware threat actors and the ransomware variants in use. The #StopRansomware alerts and advisories include the tactics, techniques, and procedures as observed and documented by defenders. Further, the indicators of compromise (IOCs) associated with MedusaLocker ransomware have also been documented.
The MedusaLocker threat actors have relied on the exploitation of vulnerabilities in the Remote Desktop Protocol (RDP) in order to access targeted networks. RDP is a network communications protocol which enables network administrators to remotely diagnose user problems. It allows remote administrators to access the physical desktop computers of any user, wherever they may be located. RDP clients are available for Windows, macOS, Apple iOS, Linux, Unix, and Android. The use of RDP as a popular attack vector is further documented within MITRE ATT&CK technique T1133.
Spam email that delivers MedusaLocker malware are also part of the mix. In some cases, the ransomware uses email as the initial attack vector. This is further documented in MITRE ATT&CK technique T1566.
The MedusaLocker threat actors encrypt the target victim’s data. Once completely encrypted, the threat actors leave a ransom note with explicit communication instructions. These instructions can be found within every folder which contains one or more encrypted files. The extortion note directs victims to provide ransomware payments, which must be made to a specific Bitcoin wallet address. The note outlines exactly how to communicate with the MedusaLocker threat actors, typically providing victims one or more email addresses to reach the threat actor.
MedusaLocker is distributed and operated as part of a Ransomware-as-a-Service (RaaS) model. The threat actors that author the MedusaLocker ransomware make the software available to business partners (affiliates), who, in turn, utilize the MedusaLocker malware to hold the targeted victim’s software hostage. The goal is extortion and the theft of funds. In a RaaS Model, all the criminal parties involved share a portion of the ransom payment. Per the Cybersecurity advisory, MedusaLocker ransomware payments appear to be shared between the affiliates, who receives approximately 55 to 60 percent of the ransom, and the developer, who receives the rest. The size of MedusaLocker ransom demands appear to vary based upon the victim’s financial status as determined by the threat actors.
Threat actors, like MedusaLocker, often utilize PowerShell commands and scripts for execution. PowerShell features include an interactive command-line interface and scripting environment—all of this is included in the standard releases of the Windows operating system. Threat actors can then utilize PowerShell to initiate and complete many different actions. This might include the discovery of information, the execution of code, or the exfiltration of data.
MedusaLocker ransomware uses a batch file to execute PowerShell script invoke-ReflectivePEInjection, which is documented in MITRE ATT&CK technique T1059.001. This script propagates MedusaLocker throughout the network by editing the EnableLinkedConnections value within the infected machine’s registry. This then allows the infected machine to detect attached hosts and networks via Internet Control Message Protocol (ICMP) and to detect shared storage via Server Message Block (SMB) Protocol.
MedusaLocker ransomware will then restart the LanmanWorkstation service, which allows registry edits to take effect. Then MedusaLocker kills the processes of any well-known forensic, security, or accounting software. Once this is completed, MedusaLocker can restart the machine in safe mode to avoid detection by any security software (see MITRE ATT&CK techniqueT1562.009).
MedusaLocker will then encrypt the victim’s files with the AES-256 encryption algorithm. The resulting key is then encrypted with an RSA-2048 public key (see MITRE ATT&CK technique T1486).
It is important to note that MedusaLocker runs about once a minute and encrypts all files except those absolutely critical to the operation of the victim’s machine or those that have the designated encrypted file extension. Persistence is essential for malware. This is accomplished by MedusaLocker by copying a svhost.exe or svhostt.exe to the %APPDATA%Roaming directory. Then a task is scheduled to run the ransomware every 15 minutes. MedusaLocker then thwarts typical recovery techniques by deleting all local backups, disabling available startup recovery options, and finally deleting shadow copies (see MITRE ATT&CK technique T1490).
Here are the Top 3 best practices to stay vigilant and protect your organization from MedusaLocker:
- Use and enforce multi-factor authentication (MFA).
- Use the National Institute of Standards standards for password policies.
- Consider installing and using a virtual private network to establish secure remote connections.
Bonus tip: Implement a broad cybersecurity awareness and training program for your employees to build awareness on how to minimize risks associated with ransomware, phishing scams, and other cybersecurity risks and vulnerabilities.
To learn more about MedusaLocker, and see the detailed data on the IOCs, typical ransom note filenames, payment wallets, and the multitude of email and TOR addresses used, and suggested mitigations, please refer to the original Cybersecurity Advisory here.