Rewterz Threat Alert – DarkComet RAT (Remote Access Trojan) – Active IOCs
March 10, 2023Rewterz Threat Alert – DarkCrystal RAT (DCRat) – Active IOCs
March 10, 2023Rewterz Threat Alert – DarkComet RAT (Remote Access Trojan) – Active IOCs
March 10, 2023Rewterz Threat Alert – DarkCrystal RAT (DCRat) – Active IOCs
March 10, 2023Severity
High
Analysis Summary
A RaaS (Ransomware as a Service) variant dubbed MedusaLocker first surfaced in 2019. The majority of MedusaLocker ransomware threat actors acquire access to victim systems via vulnerable Remote Desktop Protocol (RDP) configurations. The threat actors also utilize email phishing and spam email campaigns as initial intrusion vectors, directly attaching the ransomware to the email. A batch file is used by the MedusaLocker ransomware to run the PowerShell script invoke-ReflectivePEInjection. By editing the EnableLinkedConnections setting in the infected system’s registry, this script spreads MedusaLocker over the network. The infected machine then detect attached networks and hosts through Internet Control Message Protocol (ICMP) and shared storage via Server Message Block (SMB) Protocol.
MedusaLocker avoids executable files, most likely to prevent leaving the targeted machine inoperable until the ransom is paid. It employs AES and RSA-2048 encryption and apparently appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.
MedusaLocker perpetrators insert a ransom note into the folders that contains a file holding the victim’s encrypted data. The message explains how to contact the MedusaLocker threat actors, usually by providing victims with one or more email addresses. The magnitude of MedusaLocker ransom demands appears to fluctuate according to the actors’ perception of the victim’s financial situation or status.
It is important to note that paying the ransom does not guarantee that the decryption key will be provided, and it may also encourage further attacks. Instead, it is recommended to try and recover the data using backup copies, or seek the help of a professional cybersecurity firm. To protect against Medusa Locker Ransomware and other types of ransomware, it is important to keep antivirus software and operating systems up to date, avoid opening suspicious email attachments or downloading software from untrusted sources, and regularly back up important data.
ransom note
Impact
- File encryption
Indicators of Compromise
MD5
- 168447d837fc71deeee9f6c15e22d4f4
- 0f0da68ff311ce4a8f51a52678d6fdd8
SHA-256
- add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b
- f6586d00b0f766288921d926922c8ad7c2d925e708eacc9925058bd49337db9f
SHA-1
- 80ad29680cb8cecf58d870ee675b155fc616097f
- eb90356abbeea6f00551afcb25a613b91c3da516
Remediation
- Block all threat indicators at your respective controls.
- Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
- Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
- Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
- Enable two-factor authentication.
- Implement network segmentation and keep offline backups of data to guarantee minimal downtime for the organization.
- Updates for operating systems, applications, and firmware should be installed as soon as possible.
- Check the active directories, servers, workstations, and domain controllers for new or unfamiliar accounts.
- To create safe distant connections, consider installing and utilizing a virtual private network (VPN).