Rewterz Threat Alert – MedusaLocker Ransomware – Active IOCs

Severity

High

Analysis Summary

A RaaS (Ransomware as a Service) variant dubbed MedusaLocker first surfaced in 2019. The majority of MedusaLocker ransomware threat actors acquire access to victim systems via vulnerable Remote Desktop Protocol (RDP) configurations. The threat actors also utilize email phishing and spam email campaigns as initial intrusion vectors, directly attaching the ransomware to the email. A batch file is used by the MedusaLocker ransomware to run the PowerShell script invoke-ReflectivePEInjection. By editing the EnableLinkedConnections setting in the infected system’s registry, this script spreads MedusaLocker over the network. The infected machine then detect attached networks and hosts through Internet Control Message Protocol (ICMP) and shared storage via Server Message Block (SMB) Protocol. 

MedusaLocker avoids executable files, most likely to prevent leaving the targeted machine inoperable until the ransom is paid. It employs AES and RSA-2048 encryption and apparently appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.

MedusaLocker perpetrators insert a ransom note into the folders that contains a file holding the victim’s encrypted data. The message explains how to contact the MedusaLocker threat actors, usually by providing victims with one or more email addresses. The magnitude of MedusaLocker ransom demands appears to fluctuate according to the actors’ perception of the victim’s financial situation or status.

Impact

• Files Encryption

Indicators of Compromise

MD5

• bb442cfc088a89e0c353ed20fb8cbf8b
• 4660887b36d65e42b7d71d5e18187dfe
• 55c4883494e8846ca0f66f20973aee0e
• 1a018c68582e13d7f51aa58f87e2ed50
• 7212675ad49b5134c6dc7509669b1526

SHA-256

• f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6
• 05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873
• 8e797fff8fae9afb216b81ae341aac9f05f419061075b0f6ce4c0c7a67f458a4
• 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7
• fb1fc5323853e3289c41b4df3851cda88462ce954c2b9c7102c5a363dfa8166d

SHA-1

• 1477ae595f2fb3cf7ffdee788b748db253236d0c
• 49ad1eecb9bbb8d736833006685b8c2c1300115b
• 0ac359313afbce0bd5a02a02e55a0c7f1004ee82
• 9568f4a2959eda46af35c5d18c190f0d85047ac3
• 4a664c194075afc720ec7ec04b9393054782bd11

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Enable two-factor authentication.
• Implement network segmentation and keep offline backups of data to guarantee minimal downtime for the organization.
• Updates for operating systems, applications, and firmware should be installed as soon as possible.
• Check the active directories, servers, workstations, and domain controllers for new or unfamiliar accounts.
• To create safe distant connections, consider installing and utilizing a virtual private network (VPN).