Analysis
Attacks and Vulnerabilities
CISA
Critical infrastructure
Malware, Phishing & Ransomware
News
Risk & Compliance

Advisory warns of MedusaLocker RaaS-based model that depends upon observed split of ransom payments

July 04, 2022
Advisory warns of MedusaLocker RaaS-based model that depends upon observed split of ransom payments

U.S. agencies issued a joint cybersecurity advisory providing information on the MedusaLocker ransomware, including recent activity observed in May. The hackers predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks, encrypt the victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. 

“MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN), said in the latest advisory. “Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom, and the developer, who receives the remainder,” it added.

MedusaLocker relies predominantly on exploiting unpatched vulnerabilities in Remote Desktop Protocol to gain access to victims’ networks. It also frequently uses email phishing and spam email campaigns, with malware directly attached to the email, as initial intrusion vectors. 

The agencies have asked organizations to mitigate cyber threats from ransomware, including prioritizing remediating known exploited vulnerabilities, training users to recognize and report phishing attempts, and enabling and enforcing multifactor authentication (MFA).

The advisory identified that the MedusaLocker ransomware hackers also frequently use email phishing and spam email campaigns, directly attaching the ransomware to the email, as initial intrusion vectors. “MedusaLocker ransomware uses a batch file to execute PowerShell script. This script propagates MedusaLocker throughout the network by editing the value within the infected machine’s registry, which then allows the infected machine to detect attached hosts and networks via Internet Control Message Protocol (ICMP) and to detect shared storage via Server Message Block (SMB) Protocol,” it added.

MedusaLocker “then restarts the LanmanWorkstationservice, which allows registry edits to take effect, kills the processes of well-known security, accounting, and forensic software, and restarts the machine in safe mode to avoid detection by security software. It also encrypts victim files with the AES-256 encryption algorithm; the resulting key is then encrypted with an RSA-2048 public key, and runs every 60 seconds, encrypting all files except those critical to the functionality of the victim’s machine and those that have the designated encrypted file extension. 

It also establishes persistence, and attempts to prevent standard recovery techniques by deleting local backups, disabling startup recovery options, and deleting shadow copies, the advisory said. 

MedusaLocker actors place a ransom note into every folder containing a file with the victim’s encrypted data, the joint advisory said. “The note outlines how to communicate with the MedusaLocker actors, typically providing victims with one or more email addresses at which the actors can be reached. The size of MedusaLocker ransom demands appears to vary depending on the victim’s financial status as perceived by the actors,” it added.

Some other mitigation techniques involved implementing a recovery plan that maintains and retains multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location. Organizations can also implement network segmentation and maintain offline backups of data to ensure limited interruption, regularly back up data, and password-protect backup copies stored offline. 

Additionally, they can install, regularly update, and enable real-time detection for antivirus software on all hosts, and review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.

Commenting on the MedusaLocker ransomware alert, John Riggi, AHA’s National Advisor for Cybersecurity and Risk, said in a statement, “This joint agency advisory contains very detailed and actionable indicators of compromise. The advisory also highlights the danger of unsecured remote desktop protocol and phishing emails as the initial attack vector,” he added. 

“The ‘ransomware as a service’ business model used by the MedusaLocker gang facilitates the continuing global proliferation of ransomware — even by relatively unsophisticated cyber actors,” according to Riggi. “It is strongly recommended that organizations continue to emphasize phishing email education for staff, exercise cyber incident response plans, and ensure the segregation and security of network and data backups, among the many helpful risk mitigation recommendations contained in the advisory,” he added.

Last month, agencies issued another advisory that provided information on the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair. The hackers have employed various tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. The agencies also provided some recommended actions to mitigate the cyber threats.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
MITRE confirms breach on NERVE network, suspected foreign nation-state actor involved
Radiflow helps customers achieve NIS2 compliance, spurring growth in Europe
Radiflow, Exclusive Networks partner to elevate OT cybersecurity
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
MITRE plans to enhance cybersecurity in 2024 with ICS sub-techniques and multi-domain integration
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
New bill introduced to set up Water Risk and Resilience Organization to secure water systems from cyber threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
CISA, FBI, Europol, and NCSC-NL issue joint cybersecurity advisory on Akira ransomware threats
Mandiant exposes APT44, Russia's Sandworm cyber sabotage unit, targeting global critical infrastructure
Mandiant exposes APT44, Russia’s Sandworm cyber sabotage unit, targeting global critical infrastructure
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Hexagon and Dragos announce technical alliance to boost industrial cybersecurity, reduce overall OT cyber risk
Armis
Armis acquires Silk Security for $150 million to enhance AI-driven cybersecurity capabilities
Nozomi discovers five vulnerabilities in AMI MegaRAC SP-X BMC, exposing OT, IOT devices to RCE attacks
Nozomi secures US$1.25 million US Air Force contract to boost DoD critical infrastructure security
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape
Industrial Cybersecurity Buyers’ Guide 2024 navigates complex industrial landscape