Snatch Ransomware Explained - CISA Alert AA23-263A
Read More
Huseyin Can YUCEEL | July 01, 2022
On June 30, 2022, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on MedusaLocker ransomware [1]. MedusaLocker operates a Ransomware-as-a-Service and has been known to target multiple organizations, especially healthcare and pharmaceutical companies. Although Picus Labs added attack simulations for MedusaLocker ransomware to Picus Threat Library back in October 2021, the recent MedusaLocker ransomware attacks led us to write this blog post.
Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform
MedusaLocker ransomware is typical ransomware that uses the single extortion model, meaning that the ransomware encrypts its victim's data and demands ransom for the decryption key. Although MedusaLocker threatens its victims to release stolen sensitive data, there is no evidence of data exfiltration.
MedusaLocker also uses the Ransomware-as-a-Service (RaaS) business model. The developer of the MedusaLocker shares the ransomware with other threat actors in return for a share of the ransom payment.
Threat actors that use MedusaLocker ransomware often use vulnerable RDP services to gain initial access to their victim's network. After initial access, the ransomware follows the typical ransomware attack lifecycle and blocks victims from accessing their data.
Figure 1: Ransom note after MedusaLocker infection [2]
MedusaLocker ransomware uses the following tactics, techniques, and procedures (TTPs):
sc create purebackup binpath= "%COMSPEC% /C start /b C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -c $km = [IO.File]::ReadAllText('C:\Windows\SysWOW64\qzy.txt'); IEX $km" start= auto DisplayName= "purebackup" |
wmic.exe shadowcopy delete /interactive |
HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run MSFEEditor = "{Malware File Path}\{Malware File Name.exe}" |
%User Profile%\AppData \ProgramData \Program Files \Program Files (x86) \AppData \Application Data \intel \nvidia \Users\All Users \Windows |
vssadmin.exe delete shadows /all /quiet bcdedit.exe /set {default} recoveryenabled no bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures wbadmin DELETE SYSTEMSTATEBACKUP wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest wmic.exe shadowcopy delete /interactive |
We also strongly suggest simulating MedusaLocker ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus' The Complete Security Control Validation Platform. You can test your defenses against MedusaLocker ransomware and hundreds of other ransomware such as Conti, DarkSide, and REvil (Sodinokibi) within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for MedusaLocker ransomware:
Threat ID |
Action Name |
Attack Module |
54124 |
MedusaLocker Ransomware Email Threat |
Email Infiltration (Phishing) |
84421 |
MedusaLocker Ransomware Download Threat |
Network Infiltration |
Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address MedusaLocker ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for MedusaLocker:
Security Control |
Signature ID |
Signature Name |
Check Point NGFW |
098063291 |
Ransomware.Win32.Medusalocker.TC.r |
Check Point NGFW |
0D2950771 |
Ransomware.Win32.Medusalocker.TC.h |
Check Point NGFW |
08D25BD5F |
Ransomware.Win32.Medusalocker.TC.x |
Check Point NGFW |
0EA1E4BF3 |
Ransomware.Win32.Medusalocker.TC.i |
Check Point NGFW |
08F9C42B7 |
Ransomware.Win32.Medusalocker.TC.w |
Cisco Firepower |
1.53663.1 |
MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt |
Fortigate AV |
8139736 |
W32/Filecoder.NYA!tr.ransom |
McAfee |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
Palo Alto NGFW |
342655449 |
ransomware/Win32 EXE.filecoder.adp |
Palo Alto NGFW |
376413039 |
ransomware/Win32 EXE.filecoder.alc |
Snort IPS |
1.53663.1 |
MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus' The Complete Security Control Validation Platform.
SHA-256 |
MD5 |
SHA-1 |
e70a261143213e70ffa10643e17b5890443bd2b159527cd2c408dea989a17cfc |
30e71d452761fbe75d9c8648b61249c3 |
a35dd292647db3cb7bf60449732fc5f12162f39e |
fb07649497b39eee0a93598ff66f14a1f7625f2b6d4c30d8bb5c48de848cd4f2 |
217b5b689dca5aa0026401bffc8d3079 |
86d92fc3ba2b3536893b8e753da9cbae70063a50 |
ed139beb506a17843c6f4b631afdf5a41ec93121da66d142b412333e628b9db8 |
47d222dd2ac5741433451c8acaac75bd |
02a0ea73ccc55c0236aa1b4ab590f11787e3586e |
a8b84ab6489fde1fab987df27508abd7d4b30d06ab854b5fda37a277e89a2558 |
4293f5b9957dc9e61247e6e1149e4c0f |
c87cd85d434e358b85f94cad098aa1f653d9cdbf |
4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4 |
82143033173cbeee7f559002fb8ab8c5 |
e03aedb8b9770f899a29f1939636db43825e95cf |
References
[1] "#StopRansomware: MedusaLocker." [Online]. Available: https://us-cert.cisa.gov/ncas/alerts/aa22-181a
[2] C. Nocturnus, "Cybereason vs. MedusaLocker Ransomware." [Online]. Available: https://www.cybereason.com/blog/research/medusalocker-ransomware