.svg)
.svg)
The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
On June 30, 2022, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on MedusaLocker ransomware [1]. MedusaLocker operates a Ransomware-as-a-Service and has been known to target multiple organizations, especially healthcare and pharmaceutical companies. Although Picus Labs added attack simulations for MedusaLocker ransomware to Picus Threat Library back in October 2021, the recent MedusaLocker ransomware attacks led us to write this blog post.
Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform
MedusaLocker Ransomware
MedusaLocker ransomware is typical ransomware that uses the single extortion model, meaning that the ransomware encrypts its victim's data and demands ransom for the decryption key. Although MedusaLocker threatens its victims to release stolen sensitive data, there is no evidence of data exfiltration.
MedusaLocker also uses the Ransomware-as-a-Service (RaaS) business model. The developer of the MedusaLocker shares the ransomware with other threat actors in return for a share of the ransom payment.
Threat actors that use MedusaLocker ransomware often use vulnerable RDP services to gain initial access to their victim's network. After initial access, the ransomware follows the typical ransomware attack lifecycle and blocks victims from accessing their data.
Figure 1: Ransom note after MedusaLocker infection [2]
TTPs Used by MedusaLocker Ransomware
MedusaLocker ransomware uses the following tactics, techniques, and procedures (TTPs):
Tactic: Initial Access
- MITRE ATT&CK T1078 Valid Accounts
Threat actors use brute-force password guessing for RDP services. The revealed password allows the attacker to gain initial access to the victim's network.
- MITRE ATT&CK T1566 Phishing
In some cases, the ransomware is delivered via a phishing email as an attachment.
- MITRE ATT&CK T1133 External Remote Services
Threat actors exploit vulnerable RDP services in the victim network to gain initial access.
Tactic: Execution
- MITRE ATT&CK T1059.001 Command and Scripting Interpreter: PowerShell
MedusaLocker ransomware typically consists of a batch file named "qzy.bat" and a PowerShell script saved as a text file named "qzy.txt". When the batch file is executed, it calls the text file and runs the PowerShell script in the text file.
|
sc create purebackup binpath= "%COMSPEC% /C start /b C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -c $km = [IO.File]::ReadAllText('C:\Windows\SysWOW64\qzy.txt'); IEX $km" start= auto DisplayName= "purebackup" |
- MITRE ATT&CK T1047 Windows Management Instrumentation
MedusaLocker uses Windows Management Instrumentation command-line utility (wmic) to delete volume shadow copies to prevent victims from recovering their encrypted data.
|
wmic.exe shadowcopy delete /interactive |
Tactic: Persistence
- MITRE ATT&CK T1547 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
MedusaLocker establishes persistence and executes the ransomware at system startup by adding the following registry entry.
|
HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run MSFEEditor = "{Malware File Path}\{Malware File Name.exe}" |
- MITRE ATT&CK T1168 Local Job Scheduling
MedusaLocker creates a scheduled task called "svhost" that runs the ransomware automatically every 15 minutes.
Tactic: Privilege Escalation
- MITRE ATT&CK T1548.002 Abuse Elevation Control Mechanism Bypass UAC
MedusaLocker ransomware uses the built-in Windows tool called Microsoft Connection Manager Profile Installer (cmstp.exe) to bypass User Account Control (UAC) and runs arbitrary commands with elevated privileges.
- MITRE ATT&CK T1078 Valid Accounts
Threat actors use brute-force password guessing for RDP services. If the guessed password belongs to the domain administrator, they can execute commands with elevated privileges.
Tactic: Defense Evasion
- MITRE ATT&CK T1562.001 Impair Defenses: Disable or Modify Tools
MedusaLocker disables security products such as antivirus to avoid being detected.
- MITRE ATT&CK T1562.009 Impair Defenses: Safe Mode Boot
In safe mode, Windows OS starts up with limited defenses. MedusaLocker abuses this aspect of the safe mode to evade endpoint defenses.
Tactic: Credential Access
- MITRE ATT&CK T1110 Brute Force
Threat actors use brute-force password guessing for RDP services.
Tactic: Discovery
- MITRE ATT&CK T1083 File and Directory Discovery
MedusaLocker searches for files and directories in the victim's computer. After discovery, the ransomware starts to encrypt all files and directories with the exception of the following folders.
|
%User Profile%\AppData \ProgramData \Program Files \Program Files (x86) \AppData \Application Data \intel \nvidia \Users\All Users \Windows |
- MITRE ATT&CK T1135 Network Share Discovery
MedusaLocker searches for shared files in the network. The shared files also indicate that there might be other hosts in the network that can be moved to laterally.
- MITRE ATT&CK T1012 Query Registry
MedusaLocker searches the registry hive to learn about security products deployed in the victim's network.
Tactic: Lateral Movement
- MITRE ATT&CK T1021 Remote Services
MedusaLocker ransomware uses remote services to infect other hosts in the victim's network. Threat actors use RDP, PsExec, and SMB to spread the ransomware payload.
Tactic: Command and Control
- MITRE ATT&CK T1105 Ingress Tool Transfer
MedusaLocker uses certutil.exe to transfer files from its command and control server to the victim's network.
Tactic: Impact
- MITRE ATT&CK T1486 Data Encrypted for Impact
MedusaLocker uses a hybrid encryption approach. The victim's files are encrypted with an AES-256 symmetric encryption algorithm, and the secret key is encrypted with RSA-2048 public-key encryption.
- MITRE ATT&CK T1490 Inhibit System Recovery
MedusaLocker deletes backup copies of the encrypted files to prevent its victims from recovering them with the following commands.
|
vssadmin.exe delete shadows /all /quiet bcdedit.exe /set {default} recoveryenabled no bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures wbadmin DELETE SYSTEMSTATEBACKUP wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest wmic.exe shadowcopy delete /interactive |
How Picus Helps Simulate MedusaLocker Ransomware Attacks?
We also strongly suggest simulating MedusaLocker ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus' The Complete Security Control Validation Platform. You can test your defenses against MedusaLocker ransomware and hundreds of other ransomware such as Conti, DarkSide, and REvil (Sodinokibi) within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for MedusaLocker ransomware:
|
Threat ID |
Action Name |
Attack Module |
|
54124 |
MedusaLocker Ransomware Email Threat |
Email Infiltration (Phishing) |
|
84421 |
MedusaLocker Ransomware Download Threat |
Network Infiltration |
Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address MedusaLocker ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for MedusaLocker:
|
Security Control |
Signature ID |
Signature Name |
|
Check Point NGFW |
098063291 |
Ransomware.Win32.Medusalocker.TC.r |
|
Check Point NGFW |
0D2950771 |
Ransomware.Win32.Medusalocker.TC.h |
|
Check Point NGFW |
08D25BD5F |
Ransomware.Win32.Medusalocker.TC.x |
|
Check Point NGFW |
0EA1E4BF3 |
Ransomware.Win32.Medusalocker.TC.i |
|
Check Point NGFW |
08F9C42B7 |
Ransomware.Win32.Medusalocker.TC.w |
|
Cisco Firepower |
1.53663.1 |
MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt |
|
Fortigate AV |
8139736 |
W32/Filecoder.NYA!tr.ransom |
|
McAfee |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
|
Palo Alto NGFW |
342655449 |
ransomware/Win32 EXE.filecoder.adp |
|
Palo Alto NGFW |
376413039 |
ransomware/Win32 EXE.filecoder.alc |
|
Snort IPS |
1.53663.1 |
MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus' The Complete Security Control Validation Platform.
Indicators of Compromises
|
SHA-256 |
MD5 |
SHA-1 |
|
e70a261143213e70ffa10643e17b5890443bd2b159527cd2c408dea989a17cfc |
30e71d452761fbe75d9c8648b61249c3 |
a35dd292647db3cb7bf60449732fc5f12162f39e |
|
fb07649497b39eee0a93598ff66f14a1f7625f2b6d4c30d8bb5c48de848cd4f2 |
217b5b689dca5aa0026401bffc8d3079 |
86d92fc3ba2b3536893b8e753da9cbae70063a50 |
|
ed139beb506a17843c6f4b631afdf5a41ec93121da66d142b412333e628b9db8 |
47d222dd2ac5741433451c8acaac75bd |
02a0ea73ccc55c0236aa1b4ab590f11787e3586e |
|
a8b84ab6489fde1fab987df27508abd7d4b30d06ab854b5fda37a277e89a2558 |
4293f5b9957dc9e61247e6e1149e4c0f |
c87cd85d434e358b85f94cad098aa1f653d9cdbf |
|
4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4 |
82143033173cbeee7f559002fb8ab8c5 |
e03aedb8b9770f899a29f1939636db43825e95cf |
References
[1] "#StopRansomware: MedusaLocker." [Online]. Available: https://us-cert.cisa.gov/ncas/alerts/aa22-181a
[2] C. Nocturnus, "Cybereason vs. MedusaLocker Ransomware." [Online]. Available: https://www.cybereason.com/blog/research/medusalocker-ransomware
