Threat actors are exploiting primarily Remote Desktop Protocol (RDP) vulnerabilities on victim computers to deploy MedusaLocker ransomware.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) released a new cybersecurity advisory (CSA) that described the recent MedusaLocker ransomware threat.
“The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address,” CISA noted in the advisory.
The cybersecurity experts observed the activity as recently as May 2022 and confirmed the malware appears to operate as a Ransomware-as-a-Service (RaaS) model.
Moreover, CISA noted the malware leverages a batch file to launch a PowerShell script to then propagate MedusaLocker throughout the victim’s network. This is achieved by editing the system registry value ‘EnableLinkedConnections’.
As a consequence, the infected system can detect attached hosts and networks via the Internet Control Message Protocol (ICMP) and also detect shared storage via Server Message Block (SMB) protocol.
After infecting the victim’s system, MedusaLocker then proceeds to:
- Restart the LanmanWorkstation service (to allow registry changes to take affect).
- Kill security, accounting, and forensic software processes.
- Restart the computer in safe mode.
- Encrypt victim’s files.
- Run every minute to encrypt all files not required to keep system running.
- Maintain persistence.
- Prevent standard recovery methods (such as deleting local backups, disabling startup recovery, and deleting shadow copies).
The CSA for MedusaLocker is part of an ongoing #StopRansomware effort meant to outline advisories for network defenders on ransomware threats.
Finally, CISA, FBI, Treasury and FinCEN encourage network defenders to prioritize remediation of vulnerabilities, train users on guarding against phishing attempts, and use multi-factor authentication.
Readers can also check out the U.S. Government guidance on ransomware protection, detection, and response.