The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury and the Financial Crimes Enforcement Network (FinCEN) have issued warnings about MedusaLocker ransomware. MedusaLocker actors, first observed in May 2022, overwhelmingly rely on Remote Desktop Protocol (RDP) vulnerabilities to access victims' networks.
The MedusaLocker actors encrypt the victim's data and leave a ransom note with communication instructions in each folder with encrypted files. The note instructs victims of the ransomware to make payments to a specific Bitcoin wallet address. Based on the observed split of ransom payments, MedusaLocker appears to work as a ransomware-as-a-service (RaaS) model.
Ransomware-as-a-Service
Typical RaaS models involve the ransomware developer and various affiliated companies that provide the ransomware. MedusaLocker ransomware payments appear to be consistently split between the ransomware “landlord” or service partner and that of the attacker group, which receives 55 to 60 percent of the ransom.
Technical details
MedusaLocker ransomware actors most commonly gain access to victim devices through Remote Desktop Protocol (RDP) configurations. Actors also commonly use email phishing and spam email campaigns by attaching the ransomware directly to the email - as initial attack vectors.
MedusaLocker ransomware uses a batch file to run the invoke-ReflectivePEInjection[ T1059.001 ] PowerShell script. This script spreads MedusaLocker across the network by editing the EnableLinkedConnections value in the infected computer's registry, allowing the infected computer to connect to hosts and networks via the Internet Control Message Protocol (ICMP) and shared memory via the Server Message Block (SMB) protocol can recognize .
Then MedusaLocker acts:
- Restarts the LanmanWorkstation service, which causes registry changes to take effect.
- Shuts down the processes of known security, accounting and forensic software.
- Restarts the machine in safe mode to avoid detection by security software [ T1562.009 ].
- Encrypts victim files using AES-256 encryption algorithm; the resulting key is then encrypted with an RSA-2048 public key [ T1486 ].
- Runs every 60 seconds and encrypts all files except those critical to the functionality of the victim's computer and files with the specified encrypted file extension.
- Establishes persistence by copying an executable ( svhost.exe or svhostt.exe) to the %APPDATA%\Roaming directory and scheduling a task to run the ransomware every 15 minutes.
- Attempts to prevent standard recovery techniques by deleting local backups, disabling boot recovery options, and deleting shadow copies [ T1490 ].