Several US law enforcement agencies have spotlighted MedusaLocker, a ransomware gang that made a fuss by hitting health organizations during the pandemic.
MedusaLocker came into existence in 2019 and has been an issue ever since, ramping up activity during the early stages of the pandemic to maximize profits.
While Medusa is not like that today productive as Conti and Lockbit RaaS networks, MedusaLocker caused a lot of the problems, one of the many threats that led to Microsoft’s warning to healthcare providers to patch VPN endpoints and securely configure Remote Desktop Protocol (RDP)†
In Q1 2020, MedusaLocker was one of the top ransomware payloads, along with RobbinHood, Maze, PonyFinal, Valet loader, REvil, RagnarLocker, and LockBit, according to Microsoft†
As of May 2022, Medusa has been observed to primarily use vulnerable RDP configurations to access victims’ networks, according to a new joint Cybersecurity Advisory (CSA) from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury and the Financial Crimes Enforcement Network (FinCEN).
The advice is part of CISAs #StopRansomware collection of resources about ransomware†
“MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the perceived distribution of ransom payments,” notes the CSA.
RaaS models include the combined efforts of the ransomware developer and several affiliates, such as first access brokers and other actors that deploy the ransomware on victims’ systems.
MedusaLocker ransomware payments appear to be consistently split between the partner, who receives 55 to 60 percent of the ransom, and the developer, who receives the rest.
On a technical level, after MedusaLocker actors are given initial access, MedusaLocker implements a PowerShell script to spread the ransomware through the network by editing the machine’s registry to detect attached hosts and networks and applying the SMB protocol for it. use file sharing to detect mounted storage.
According to the CSA, MedusaLocker attackers place a ransom note in every folder containing a file containing the victim’s encrypted data.
The main actions of MedusaLocker after distribution across a network are:
- Restart the LanmanWorkstation service, which will allow registry edits to take effect
- Kills the processes of well-known security, accounting and forensics software
- Reboot the machine in safe mode to avoid detection by security software
- Encrypts victim files using the AES-256 encryption algorithm; the resulting key is then encrypted with an RSA-2048 public key
- Runs every 60 seconds and encrypts all files except those that are essential to the functionality of the victim’s computer and those with the designated encrypted file extension
- Ensures persistence by scheduling a task to run the ransomware every 15 minutes.
- Attempts to avoid standard recovery techniques by deleting local backups, disabling boot recovery options, and deleting shadow copies
You can protect against these attacks. Mitigations recommended by the agencies include:
- Implement a recovery plan that maintains and stores multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location
- Implement network segmentation and maintain offline data backups
- Back up data regularly and password protect backups stored offline. Ensure copies of critical data are not accessible for modification or deletion from the system