• Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Press Release
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – ICS: Fuji Electric Tellus Lite V-Simulator Vulnerabilities
December 21, 2022
Rewterz Threat Alert – Ryuk Ransomware – Active IOCs
December 21, 2022

Rewterz Threat Alert – MedusaLocker Ransomware – Active IOCs

December 21, 2022

Severity

High

Analysis Summary

A RaaS (Ransomware as a Service) variant dubbed MedusaLocker first surfaced in 2019. The majority of MedusaLocker ransomware threat actors acquire access to victim systems via vulnerable Remote Desktop Protocol (RDP) configurations. The threat actors also utilize email phishing and spam email campaigns as initial intrusion vectors, directly attaching the ransomware to the email. A batch file is used by the MedusaLocker ransomware to run the PowerShell script invoke-ReflectivePEInjection. By editing the EnableLinkedConnections setting in the infected system’s registry, this script spreads MedusaLocker over the network. The infected machine then detect attached networks and hosts through Internet Control Message Protocol (ICMP) and shared storage via Server Message Block (SMB) Protocol. 

MedusaLocker avoids executable files, most likely to prevent leaving the targeted machine inoperable until the ransom is paid. It employs AES and RSA-2048 encryption and apparently appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.

MedusaLocker perpetrators insert a ransom note into the folders that contains a file holding the victim’s encrypted data. The message explains how to contact the MedusaLocker threat actors, usually by providing victims with one or more email addresses. The magnitude of MedusaLocker ransom demands appears to fluctuate according to the actors’ perception of the victim’s financial situation or status.

Impact

  • Files Encryption

Indicators of Compromise

MD5

  • bb442cfc088a89e0c353ed20fb8cbf8b
  • 4660887b36d65e42b7d71d5e18187dfe
  • 55c4883494e8846ca0f66f20973aee0e
  • 1a018c68582e13d7f51aa58f87e2ed50
  • 7212675ad49b5134c6dc7509669b1526

SHA-256

  • f0c2c9663215a97b04f1f97cb34c99c2cf06ba502fd1f1ad4922ead45fa442a6
  • 05b51b5f41e483020d14126522a13c69b75e5cbb093a78980877bb60cf778873
  • 8e797fff8fae9afb216b81ae341aac9f05f419061075b0f6ce4c0c7a67f458a4
  • 860154eb48c722136e8c84b14a528be602aa6bc3de77523ea4d9490f280f69d7
  • fb1fc5323853e3289c41b4df3851cda88462ce954c2b9c7102c5a363dfa8166d

SHA-1

  • 1477ae595f2fb3cf7ffdee788b748db253236d0c
  • 49ad1eecb9bbb8d736833006685b8c2c1300115b
  • 0ac359313afbce0bd5a02a02e55a0c7f1004ee82
  • 9568f4a2959eda46af35c5d18c190f0d85047ac3
  • 4a664c194075afc720ec7ec04b9393054782bd11

Remediation

  • Block all threat indicators at your respective controls.
  • Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
  • Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
  • Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
  • Enable two-factor authentication.
  • Implement network segmentation and keep offline backups of data to guarantee minimal downtime for the organization.
  • Updates for operating systems, applications, and firmware should be installed as soon as possible.
  • Check the active directories, servers, workstations, and domain controllers for new or unfamiliar accounts.
  • To create safe distant connections, consider installing and utilizing a virtual private network (VPN).
  • Services
    • Assess
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.