Numerous US law enforcement agencies have focused their attention on MedusaLocker, a ransomware group that became active during the pandemic by targeting healthcare organizations and other industries. Appearing in 2019, MedusaLocker has been causing problems by elevating its activities during the early parts of the pandemic to boost revenues. It was one of the threats that prompted Microsoft to advise healthcare operators to patch VPN endpoints and configure Remote Desktop Protocol (RDP) securely, even though it’s currently less widespread than Conti and LockBit networks. MedusaLocker, Maze, PonyFinal, Valet loader, REvil, RagnarLocker, and LockBit were among the top ransomware payloads in the first quarter of 2020.
A new joint cybersecurity advisory (CSA) from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network stated that Medusa has primarily been using vulnerable RDP configurations to access victims’ networks (FinCEN). The ransomware group uses phishing and spam email campaigns to initial access. MedusaLocker operates as a Ransomware-as-a-Service (RaaS) model based on split ransom payments. The Ransomware-as-a-Service model combines the efforts of ransomware developers and various affiliates, including access brokers, to gain initial access and other threat actors deploy ransomware on victims’ systems. MedusaLocker ransomware payments are split between the affiliate, receiving 55 to 60% of the ransom and the developers receive the rest.
Once the threat actors gain initial access, MedusaLocker deploys a PowerShell script, called invoke-Reflective PEInjection, to spread the ransomware throughout the network by modifying the machine’s registry to find attached host and networks and using the SMB file-sharing protocol to find attached storage. MedusaLocker threat operators and the threat actors affiliated with the group put ransom notes in each folder containing a file with the victims’ encrypted data. Email addresses are provided to contact the threat actors, with instructions on ransom payments using a proper Bitcoin wallet.
Key actions MedusaLocker takes after spreading throughout the network include:
- Restarting LanmanWorkstation services and allowing registry changes to take effect.
- Kills the processes of renowned forensic, accounting, and security software.
- Restarts the computer in safe mode so the security software won’t detect it.
- Uses the AES-256 encryption algorithm to encrypt victims’ files; the key generated is then encrypted using an RSA-2048 public key.
- Runs every 60 seconds and encrypts all files except for those critical to the victims’ machine’s functionality and selected encrypted file extension.
- Scheduling a task to run the ransomware every 15 minutes, establishing persistence.
- Deleting local backups, limiting startup recovery options, and deleting shadow copies to prevent standard techniques.
With more ransomware groups targeting organizations through RDP vulnerabilities, it’s critical for companies to maintain numerous copies of sensitive data in a separate physical location. Additionally, companies need to keep backup data and password protect backup copies offline ensuring that they’re not accessible for modification and deletion from systems. At SpearTip, our advisory services allow our engineers to engage companies’ people, processes, and technology to measure the maturity of the technical environment. We discover blind spots in companies, by comparing technology and internal personnel, that can lead to compromises and go beyond a simple compliance framework. Our ShadowSpear Platform evaluates companies’ current technical controls’ effectiveness and allows our Security Operations Center to hunt for advanced ransomware and advanced persistent threats.
If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.