Rewterz Threat Alert – MedusaLocker Ransomware – Active IOCs

Severity

High

Analysis Summary

A RaaS (Ransomware as a Service) variant dubbed MedusaLocker first surfaced in 2019. The majority of MedusaLocker ransomware threat actors acquire access to victim systems via vulnerable Remote Desktop Protocol (RDP) configurations. The threat actors also utilize email phishing and spam email campaigns as initial intrusion vectors, directly attaching the ransomware to the email. A batch file is used by the MedusaLocker ransomware to run the PowerShell script invoke-ReflectivePEInjection. By editing the EnableLinkedConnections setting in the infected system’s registry, this script spreads MedusaLocker over the network. The infected machine then detect attached networks and hosts through Internet Control Message Protocol (ICMP) and shared storage via Server Message Block (SMB) Protocol.

MedusaLocker avoids executable files, most likely to prevent leaving the targeted machine inoperable until the ransom is paid. It employs AES and RSA-2048 encryption and apparently appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.

MedusaLocker perpetrators insert a ransom note into the folders that contains a file holding the victim’s encrypted data. The message explains how to contact the MedusaLocker threat actors, usually by providing victims with one or more email addresses. The magnitude of MedusaLocker ransom demands appears to fluctuate according to the actors’ perception of the victim’s financial situation or status.

It is important to note that paying the ransom does not guarantee that the decryption key will be provided, and it may also encourage further attacks. Instead, it is recommended to try and recover the data using backup copies, or seek the help of a professional cybersecurity firm. To protect against Medusa Locker Ransomware and other types of ransomware, it is important to keep antivirus software and operating systems up to date, avoid opening suspicious email attachments or downloading software from untrusted sources, and regularly back up important data.

ransom note

Impact

• File encryption

Indicators of Compromise

MD5

• 168447d837fc71deeee9f6c15e22d4f4
• 0f0da68ff311ce4a8f51a52678d6fdd8

SHA-256

• add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b
• f6586d00b0f766288921d926922c8ad7c2d925e708eacc9925058bd49337db9f

SHA-1

• 80ad29680cb8cecf58d870ee675b155fc616097f
• eb90356abbeea6f00551afcb25a613b91c3da516

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Enable two-factor authentication.
• Implement network segmentation and keep offline backups of data to guarantee minimal downtime for the organization.
• Updates for operating systems, applications, and firmware should be installed as soon as possible.
• Check the active directories, servers, workstations, and domain controllers for new or unfamiliar accounts.
• To create safe distant connections, consider installing and utilizing a virtual private network (VPN).