MedusaLocker Ransomware Analysis, Simulation, and Mitigation

On June 30, 2022, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on MedusaLocker ransomware [1]. MedusaLocker operates a Ransomware-as-a-Service and has been known to target multiple organizations, especially healthcare and pharmaceutical companies. Although Picus Labs added attack simulations for MedusaLocker ransomware to Picus Threat Library back in October 2021, the recent MedusaLocker ransomware attacks led us to write this blog post.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

MedusaLocker Ransomware

MedusaLocker ransomware is typical ransomware that uses the single extortion model, meaning that the ransomware encrypts its victim's data and demands ransom for the decryption key. Although MedusaLocker threatens its victims to release stolen sensitive data, there is no evidence of data exfiltration.

MedusaLocker also uses the Ransomware-as-a-Service (RaaS) business model. The developer of the MedusaLocker shares the ransomware with other threat actors in return for a share of the ransom payment.

Threat actors that use MedusaLocker ransomware often use vulnerable RDP services to gain initial access to their victim's network. After initial access, the ransomware follows the typical ransomware attack lifecycle and blocks victims from accessing their data.

Figure 1: Ransom note after MedusaLocker infection [2]

TTPs Used by MedusaLocker Ransomware

MedusaLocker ransomware uses the following tactics, techniques, and procedures (TTPs):

Tactic: Initial Access

• MITRE ATT&CK T1078 Valid Accounts
  Threat actors use brute-force password guessing for RDP services. The revealed password allows the attacker to gain initial access to the victim's network.

• MITRE ATT&CK T1566 Phishing
  In some cases, the ransomware is delivered via a phishing email as an attachment.

• MITRE ATT&CK T1133 External Remote Services
  Threat actors exploit vulnerable RDP services in the victim network to gain initial access.

Tactic: Execution

• MITRE ATT&CK T1059.001 Command and Scripting Interpreter: PowerShell
  MedusaLocker ransomware typically consists of a batch file named "qzy.bat" and a PowerShell script saved as a text file named "qzy.txt". When the batch file is executed, it calls the text file and runs the PowerShell script in the text file.

• MITRE ATT&CK T1047 Windows Management Instrumentation
  MedusaLocker uses Windows Management Instrumentation command-line utility (wmic) to delete volume shadow copies to prevent victims from recovering their encrypted data.

Tactic: Persistence

• MITRE ATT&CK T1547 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  MedusaLocker establishes persistence and executes the ransomware at system startup by adding the following registry entry.

• MITRE ATT&CK T1168 Local Job Scheduling
  MedusaLocker creates a scheduled task called "svhost" that runs the ransomware automatically every 15 minutes.

Tactic: Privilege Escalation

• MITRE ATT&CK T1548.002 Abuse Elevation Control Mechanism Bypass UAC
  MedusaLocker ransomware uses the built-in Windows tool called Microsoft Connection Manager Profile Installer (cmstp.exe) to bypass User Account Control (UAC) and runs arbitrary commands with elevated privileges.

• MITRE ATT&CK T1078 Valid Accounts
  Threat actors use brute-force password guessing for RDP services. If the guessed password belongs to the domain administrator, they can execute commands with elevated privileges.

Tactic: Defense Evasion

• MITRE ATT&CK T1562.001 Impair Defenses: Disable or Modify Tools
  MedusaLocker disables security products such as antivirus to avoid being detected.

• MITRE ATT&CK T1562.009 Impair Defenses: Safe Mode Boot
  In safe mode, Windows OS starts up with limited defenses. MedusaLocker abuses this aspect of the safe mode to evade endpoint defenses.

Tactic: Credential Access

• MITRE ATT&CK T1110 Brute Force
  Threat actors use brute-force password guessing for RDP services.

Tactic: Discovery

• MITRE ATT&CK T1083 File and Directory Discovery
  MedusaLocker searches for files and directories in the victim's computer. After discovery, the ransomware starts to encrypt all files and directories with the exception of the following folders.

• MITRE ATT&CK T1135 Network Share Discovery
  MedusaLocker searches for shared files in the network. The shared files also indicate that there might be other hosts in the network that can be moved to laterally.

• MITRE ATT&CK T1012 Query Registry
  MedusaLocker searches the registry hive to learn about security products deployed in the victim's network.

Tactic: Lateral Movement

• MITRE ATT&CK T1021 Remote Services
  MedusaLocker ransomware uses remote services to infect other hosts in the victim's network. Threat actors use RDP, PsExec, and SMB to spread the ransomware payload.

Tactic: Command and Control

• MITRE ATT&CK T1105 Ingress Tool Transfer
  MedusaLocker uses certutil.exe to transfer files from its command and control server to the victim's network. 

Tactic: Impact

• MITRE ATT&CK T1486 Data Encrypted for Impact
  MedusaLocker uses a hybrid encryption approach. The victim's files are encrypted with an AES-256 symmetric encryption algorithm, and the secret key is encrypted with RSA-2048 public-key encryption.

• MITRE ATT&CK T1490 Inhibit System Recovery
  MedusaLocker deletes backup copies of the encrypted files to prevent its victims from recovering them with the following commands.

How Picus Helps Simulate MedusaLocker Ransomware Attacks?

We also strongly suggest simulating MedusaLocker ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus' The Complete Security Control Validation Platform. You can test your defenses against MedusaLocker ransomware and hundreds of other ransomware such as Conti, DarkSide, and REvil (Sodinokibi) within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for MedusaLocker ransomware: 

Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address MedusaLocker ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for MedusaLocker:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of Picus' The Complete Security Control Validation Platform.

Indicators of Compromises

References

[1] "#StopRansomware: MedusaLocker." [Online]. Available: https://us-cert.cisa.gov/ncas/alerts/aa22-181a

[2] C. Nocturnus, "Cybereason vs. MedusaLocker Ransomware." [Online]. Available: https://www.cybereason.com/blog/research/medusalocker-ransomware