Under Attack? Contact Us Start a Free Demo

MedusaLocker Ransomware-As-A-Service (RAAS) Explained

What is MedusaLocker Ransomware?

MedusaLocker is a RaaS (Ransomware as a Service) variant that was first discovered in 2019 and has taken over the world. To increase the effectiveness of the encryption, MedusaLocker ransomware removes volume shadow copies and disables system services to encrypt data using AES-256 encryption.

The MedusaLocker ransomware is typical ransomware that encrypts its victim’s data and demands ransom for the decryption key. The MedusaLocker malware threat doesn’t seem to have resulted in any data exfiltration, though it does threaten victims with releasing sensitive data.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) has released a joint advisorystating that “MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to transfer ransomware payments to a specific Bitcoin wallet address.”.

MedusaLocker Ransomware – Mitre Attack TTPs

MedusaLocker actors use the ATT&CK techniques listed in Table 1.

Initial
Access

Technique Title

ID

Use

External Remote Services

T1133

MedusaLocker actors gained access to
victim devices through vulnerable RDP configurations.

Phishing

T1566

MedusaLocker actors used phishing and
spearphishing to obtain access to victims’ networks.

Valid Accounts

T1078

Threat actors use brute-force password
guessing for RDP services. The revealed password allows the attacker to gain
initial access to the victim’s network.

Execution

Technique Title

ID

Use

Command and Scripting Interpreter:
PowerShell

T1059.001

MedusaLocker actors may abuse
PowerShell commands and scripts for execution.

Windows Management Instrumentation

T1047

MedusaLocker uses Windows Management
Instrumentation command-line utility (wmic) to delete volume shadow copies to
prevent victims from recovering their encrypted data.

Persistence

Technique Title

ID

Use

Boot or Logon Autostart Execution:
Registry Run Keys / Startup Folder

T1547

MedusaLocker establishes persistence
and executes the ransomware at system startup by adding the following
registry entry.

Privilege Escalation

Technique Title

ID

Use

Abuse Elevation Control Mechanism
Bypass UAC

T1548.002

MedusaLocker ransomware uses the
built-in Windows tool called Microsoft Connection Manager Profile Installer
(cmstp.exe) to bypass User Account Control (UAC) and runs arbitrary commands
with elevated privileges.

Valid Accounts

T1078

Threat actors use brute-force password
guessing for RDP services. If the guessed password belongs to the domain
administrator, they can execute commands with elevated privileges.

Defense Evasion

Technique Title

ID

Use

Impair Defenses: Disable or Modify
Tools

T1562.001

MedusaLocker disables security products
such as antivirus to avoid being detected.

Impair Defenses: Safe Mode Boot

T1562.009

MedusaLocker actors may abuse Windows
safe mode to disable endpoint defenses. Safe mode starts up the Windows
operating system with a limited set of drivers and services.

Credential Access

Technique Title

ID

Use

Brute Force

T1110

Threat actors use brute-force password
guessing for RDP services.

Discovery

Technique Title

ID

Use

File and Directory Discovery

T1083

MedusaLocker searches for files and
directories in the victim’s computer. After discovery, the ransomware starts
to encrypt all files and directories

 

Network Share Discovery

T1135

MedusaLocker searches for shared files
in the network. The shared files also indicate that there might be other
hosts in the network that can be moved to laterally.

Query Registry

T1012

MedusaLocker searches the registry hive
to learn about security products deployed in the victim’s network.

Lateral Movement

Technique Title

ID

Use

Remote Services

T1021

MedusaLocker ransomware uses remote
services to infect other hosts in the victim’s network. Threat actors use
RDP, PsExec, and SMB to spread the ransomware payload.

Command and Control

Technique Title

ID

Use

Ingress Tool Transfer

T1105

MedusaLocker uses certutil.exe to
transfer files from its command and control server to the victim’s network.

Impact

Technique Title

ID

Use

Data Encrypted for Impact

T1486

MedusaLocker actors encrypt data on
target systems or on large numbers of systems in a network to interrupt
availability to system and network resources.

Inhibit System Recovery

T1490

MedusaLocker actors may deny access to
operating systems containing features that can help fix corrupted systems,
such as backup catalog, volume shadow copies, and automatic repair.

Table 1: MedusaLocker Actors ATT&CK Techniques for Enterprise

How to Stop MedusaLocker Ransomware from Spreading?

You can stop MedusaLocker ransomware from spreading by isolating the infected devices from the rest of your network. Disconnecting the device will help stop the ransomware from encrypting files on other devices. Once devices are isolated, you can start scanning with antivirus software to remove the malware and any potential back doors that have been left behind.

How to Detect and Prevent MedusaLocker Ransomware Attack?

Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.


Disclaimer

The page’s content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content “as is” or “modified” shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).