MedusaLocker Ransomware Analysis, Simulation, and Mitigation

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

On June 30, 2022, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on MedusaLocker ransomware [1]. MedusaLocker operates a Ransomware-as-a-Service and has been known to target multiple organizations, especially healthcare and pharmaceutical companies. Although Picus Labs added attack simulations for MedusaLocker ransomware to Picus Threat Library back in October 2021, the recent MedusaLocker ransomware attacks led us to write this blog post.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

MedusaLocker Ransomware

MedusaLocker ransomware is typical ransomware that uses the single extortion model, meaning that the ransomware encrypts its victim's data and demands ransom for the decryption key. Although MedusaLocker threatens its victims to release stolen sensitive data, there is no evidence of data exfiltration.

MedusaLocker also uses the Ransomware-as-a-Service (RaaS) business model. The developer of the MedusaLocker shares the ransomware with other threat actors in return for a share of the ransom payment.

Threat actors that use MedusaLocker ransomware often use vulnerable RDP services to gain initial access to their victim's network. After initial access, the ransomware follows the typical ransomware attack lifecycle and blocks victims from accessing their data.


Figure 1: Ransom note after MedusaLocker infection [2]

TTPs Used by MedusaLocker Ransomware

MedusaLocker ransomware uses the following tactics, techniques, and procedures (TTPs):

Tactic: Initial Access

  • MITRE ATT&CK T1078 Valid Accounts
    Threat actors use brute-force password guessing for RDP services. The revealed password allows the attacker to gain initial access to the victim's network.
  • MITRE ATT&CK T1566 Phishing
    In some cases, the ransomware is delivered via a phishing email as an attachment.
  • MITRE ATT&CK T1133 External Remote Services
    Threat actors exploit vulnerable RDP services in the victim network to gain initial access.

Tactic: Execution

  • MITRE ATT&CK T1059.001 Command and Scripting Interpreter: PowerShell
    MedusaLocker ransomware typically consists of a batch file named "qzy.bat" and a PowerShell script saved as a text file named "qzy.txt". When the batch file is executed, it calls the text file and runs the PowerShell script in the text file.

sc create purebackup binpath= "%COMSPEC% /C start /b C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -c $km = [IO.File]::ReadAllText('C:\Windows\SysWOW64\qzy.txt'); IEX $km" start= auto DisplayName= "purebackup"

  • MITRE ATT&CK T1047 Windows Management Instrumentation
    MedusaLocker uses Windows Management Instrumentation command-line utility (wmic) to delete volume shadow copies to prevent victims from recovering their encrypted data.

wmic.exe shadowcopy delete /interactive

Tactic: Persistence

  • MITRE ATT&CK T1547 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
    MedusaLocker establishes persistence and executes the ransomware at system startup by adding the following registry entry.

HKEY_CURRENT_USER\Software\Microsoft\

Windows\CurrentVersion\Run

MSFEEditor = "{Malware File Path}\{Malware File Name.exe}"

  • MITRE ATT&CK T1168 Local Job Scheduling
    MedusaLocker creates a scheduled task called "svhost" that runs the ransomware automatically every 15 minutes.

Tactic: Privilege Escalation

  • MITRE ATT&CK T1548.002 Abuse Elevation Control Mechanism Bypass UAC
    MedusaLocker ransomware uses the built-in Windows tool called Microsoft Connection Manager Profile Installer (cmstp.exe) to bypass User Account Control (UAC) and runs arbitrary commands with elevated privileges.
  • MITRE ATT&CK T1078 Valid Accounts
    Threat actors use brute-force password guessing for RDP services. If the guessed password belongs to the domain administrator, they can execute commands with elevated privileges.

Tactic: Defense Evasion

  • MITRE ATT&CK T1562.001 Impair Defenses: Disable or Modify Tools
    MedusaLocker disables security products such as antivirus to avoid being detected.
  • MITRE ATT&CK T1562.009 Impair Defenses: Safe Mode Boot
    In safe mode, Windows OS starts up with limited defenses. MedusaLocker abuses this aspect of the safe mode to evade endpoint defenses.

Tactic: Credential Access

  • MITRE ATT&CK T1110 Brute Force
    Threat actors use brute-force password guessing for RDP services.

Tactic: Discovery

  • MITRE ATT&CK T1083 File and Directory Discovery
    MedusaLocker searches for files and directories in the victim's computer. After discovery, the ransomware starts to encrypt all files and directories with the exception of the following folders.

%User Profile%\AppData

\ProgramData

\Program Files

\Program Files (x86)

\AppData

\Application Data

\intel

\nvidia

\Users\All Users

\Windows

 

  • MITRE ATT&CK T1135 Network Share Discovery
    MedusaLocker searches for shared files in the network. The shared files also indicate that there might be other hosts in the network that can be moved to laterally.
  • MITRE ATT&CK T1012 Query Registry
    MedusaLocker searches the registry hive to learn about security products deployed in the victim's network.

Tactic: Lateral Movement

  • MITRE ATT&CK T1021 Remote Services
    MedusaLocker ransomware uses remote services to infect other hosts in the victim's network. Threat actors use RDP, PsExec, and SMB to spread the ransomware payload.

Tactic: Command and Control

  • MITRE ATT&CK T1105 Ingress Tool Transfer
    MedusaLocker uses certutil.exe to transfer files from its command and control server to the victim's network. 

Tactic: Impact

  • MITRE ATT&CK T1486 Data Encrypted for Impact
    MedusaLocker uses a hybrid encryption approach. The victim's files are encrypted with an AES-256 symmetric encryption algorithm, and the secret key is encrypted with RSA-2048 public-key encryption.
  • MITRE ATT&CK T1490 Inhibit System Recovery
    MedusaLocker deletes backup copies of the encrypted files to prevent its victims from recovering them with the following commands.

vssadmin.exe delete shadows /all /quiet

bcdedit.exe /set {default} recoveryenabled no

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

wbadmin DELETE SYSTEMSTATEBACKUP

wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest

wmic.exe shadowcopy delete /interactive

How Picus Helps Simulate MedusaLocker Ransomware Attacks?

We also strongly suggest simulating MedusaLocker ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus' The Complete Security Control Validation Platform. You can test your defenses against MedusaLocker ransomware and hundreds of other ransomware such as Conti, DarkSide, and REvil (Sodinokibi) within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for MedusaLocker ransomware: 

Threat ID

Action Name

Attack Module

54124

MedusaLocker Ransomware Email Threat

Email Infiltration (Phishing)

84421

MedusaLocker Ransomware Download Threat

Network Infiltration

 


Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address MedusaLocker ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for MedusaLocker:

Security Control

Signature ID

Signature Name

Check Point NGFW

098063291

Ransomware.Win32.Medusalocker.TC.r

Check Point NGFW

0D2950771

Ransomware.Win32.Medusalocker.TC.h

Check Point NGFW

08D25BD5F

Ransomware.Win32.Medusalocker.TC.x

Check Point NGFW

0EA1E4BF3

Ransomware.Win32.Medusalocker.TC.i

Check Point NGFW

08F9C42B7

Ransomware.Win32.Medusalocker.TC.w

Cisco Firepower

1.53663.1

MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt

Fortigate AV

8139736

W32/Filecoder.NYA!tr.ransom

McAfee

0x4840c900

MALWARE: Malicious File Detected by GTI

Palo Alto NGFW

342655449

ransomware/Win32 EXE.filecoder.adp

Palo Alto NGFW

376413039

ransomware/Win32 EXE.filecoder.alc

Snort IPS

1.53663.1

MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt


Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus' The Complete Security Control Validation Platform.

Indicators of Compromises

SHA-256

MD5

SHA-1

e70a261143213e70ffa10643e17b5890443bd2b159527cd2c408dea989a17cfc

30e71d452761fbe75d9c8648b61249c3

a35dd292647db3cb7bf60449732fc5f12162f39e

fb07649497b39eee0a93598ff66f14a1f7625f2b6d4c30d8bb5c48de848cd4f2

217b5b689dca5aa0026401bffc8d3079

86d92fc3ba2b3536893b8e753da9cbae70063a50

ed139beb506a17843c6f4b631afdf5a41ec93121da66d142b412333e628b9db8

47d222dd2ac5741433451c8acaac75bd

02a0ea73ccc55c0236aa1b4ab590f11787e3586e

a8b84ab6489fde1fab987df27508abd7d4b30d06ab854b5fda37a277e89a2558

4293f5b9957dc9e61247e6e1149e4c0f

c87cd85d434e358b85f94cad098aa1f653d9cdbf

4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4

82143033173cbeee7f559002fb8ab8c5

e03aedb8b9770f899a29f1939636db43825e95cf

References

[1] "#StopRansomware: MedusaLocker." [Online]. Available: https://us-cert.cisa.gov/ncas/alerts/aa22-181a

[2] C. Nocturnus, "Cybereason vs. MedusaLocker Ransomware." [Online]. Available: https://www.cybereason.com/blog/research/medusalocker-ransomware