HC3 warns of MedusaLocker ransomware targeting unsecured RDP servers, desktops, vulnerabilities

The Health Sector Cybersecurity Coordination Center (HC3) of the U.S. Department of Health & Human Services (HHS) issued on Friday an analyst note that focuses on the threat from lesser-known but potent ransomware variants, such as the MedusaLocker ransomware, which should also be a source of concern and attention by healthcare security decision makers and defenders. The MedusaLocker ransomware is currently targeting unsecured RDP (remote desktop protocol) servers, desktops, and vulnerabilities in the software. 

The HC3 has repeatedly warned the healthcare sector about ransomware variants used to target medical organizations and systems by relatively ‘well-known’ cyber threat groups, which remain a source of concern and attention.

“The MedusaLocker ransomware was first detected back in September of 2019. Since then, MedusaLocker has infected and encrypted systems across multiple sectors, with primary targeting of the healthcare sector,” the note said. “During 2019, Medusa Locker leveraged the disorder and confusion surrounding the COVID-19 pandemic to launch attacks.” 

MedusaLocker appears to operate as a ransomware-as-a-service (RaaS) model, in which the developer of the MedusaLocker shares the ransomware with other threat actors in return for a share of the ransom payment. 

“Based on the observed split noted in a June 2022 Advisory on the MedusaLocker by United States federal law enforcement agencies, including the Federal Bureau of Investigation (FBI), MedusaLocker ransomware payments appear to be consistently split between the affiliates who receive a share of the ransom,” according to the note. “The affiliates receive approximately 55-60 percent per the time of the Advisory, and the developer receives the remainder. Initially, threat actors behind the ransomware relied on phishing and spam email campaigns to compromise targets.”

As of 2022, Remote Desktop Protocol (RDP) vulnerabilities are the preferred Tactics, Techniques, and Procedures (TTP) to gain access to targeted networks by cybercriminals behind the ransomware. Moreover, MedusaLocker ransomware hackers may still gain entry into networks using phishing campaigns in which the malware is attached to emails. 

The HC3 notes that last June, security researchers examined millions of Russian hosts visible to internet scans, specifically for penetration tools on Russian servers. The scans unveiled a network of hosts potentially used to launch ransomware attacks by criminal groups. MedusaLocker infrastructure was identified as some of those hosts.

The agency also discovered through the identification of these Russian hosts that ransomware cybercriminals were leveraging U.S. infrastructure, potentially in preparation for future attacks. This is not uncommon due to ransomware groups’ difficulties launching attacks from Russian infrastructure because most security tools preemptively block incoming traffic from Russia. 

To get around this, cybercriminals typically compromise hosts in the U.S., or less conspicuous countries, the HC3 said. “To further obfuscate attacks, cybercriminals leverage infrastructure from universities or data centers, etc. Those compromised hosts are then used as redirects,” it added. 

The HC3 said that after initial access the MedusaLocker ransomware will propagate throughout a network from a batch file that executes a PowerShell script. “MedusaLocker will next disable security and forensic software, restart the machine in safe mode to prevent detection of ransomware, and then encrypt files with AES-256 encryption algorithm. MedusaLocker will further establish persistence by deleting local backups, disabling start-up recovery to ultimately place a ransom note into every folder containing a file with compromised host’s encrypted data,” it added.

To defend against RDP attacks, the HC3 calls upon healthcare organizations to holistically require all RDP instances to have multiple levels of access and authentication controls, including monitoring RDP utilization, and flag first-time-seen and anomalous behavior, mainly failed login attempts. It also suggests implementing account lockout policies to defend against brute force attacks, prioritizing patching RDP vulnerabilities that have known public exploits, making strong passwords and two-factor authentication mandatory when using RDP, and not opening RDP to the Internet. 

The note also suggests utilizing a VPN (virtual private network) to enable remote users to securely access the corporate network without exposing their computers to the Internet. It also recommends changing the default port used by RDP from 3389 to another, while restricting access to the Remote Desktop port to an individual or group of trusted IP addresses and allow-list connections to specific trusted hosts.

Other mitigation techniques should include implementing a recovery plan that maintains and retains multiple copies of sensitive or proprietary data and servers in physically separate, segmented, and secure locations. It also adds an email banner to emails from outside the organization and disables hyperlinks in received emails.

The HC3 provided details of human-operated Royal ransomware in December, which was initially observed this year and has now increased in appearance. It has demanded ransoms up to millions of dollars. Since its appearance, HC3 has been aware of attacks against the healthcare and public health (HPH) sector.

Last week, the HC3 said that Russia-linked ransomware group Clop reportedly took responsibility for a mass attack on more than 130 organizations, including those in the healthcare industry, using a zero-day vulnerability in secure file transfer software GoAnywhere MFT. The latest HC3 sector alert follows earlier guidance on the threat group.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.