Dark Web Profile: Medusa Ransomware (MedusaLocker) – SOCRadar® Cyber Intelligence Inc.

MITRE Techniques

• [T1078] Valid Accounts – Initial access via compromised credentials and exposed services; quotable usage includes: “The ransomware predominantly gains access to systems through vulnerable Remote Desktop Protocols (RDP) and deceptive phishing campaigns.”
• [T1566] Phishing – Initial access via deceptive phishing campaigns; quotable usage includes: “The ransomware predominantly gains access to systems through vulnerable Remote Desktop Protocols (RDP) and deceptive phishing campaigns.”
• [T1133] External Remote Services – Access gained through external remote services like RDP; quotable usage includes: “The ransomware predominantly gains access to systems through vulnerable Remote Desktop Protocols (RDP) and deceptive phishing campaigns.”
• [T1059.001] Command and Scripting Interpreter: PowerShell – Execution performed via PowerShell; quotable usage includes: “PowerShell for command execution.”
• [T1047] Windows Management Instrumentation – Uses WMI for persistence/execution; quotable usage includes: “Windows Management Instrumentation.”
• [T1547] Boot or Logon Autostart Execution – Persistence via startup mechanisms; quotable usage includes: “Boot or Logon Autostart Execution.”
• [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control – Privilege escalation by bypassing UAC; quotable usage includes: “Bypass User Account Control.”
• [T1562.001] Impair Defenses: Disable or Modify Tools – Deactivates defense mechanisms; quotable usage includes: “deactivates defense mechanisms.”
• [T1562.009] Impair Defenses: Safe Mode Boot – Attempts to operate using Safe Mode to evade defenses; quotable usage includes: “Safe Mode Boot.”
• [T1110] Brute Force – Credential access via brute force techniques; quotable usage includes: “Brute Force.”
• [T1083] File and Directory Discovery – Discovery of files/directories on the system; quotable usage includes: “File and Directory Discovery.”
• [T1135] Network Share Discovery – Identifies network shares for lateral movement; quotable usage includes: “Network Share Discovery.”
• [T1012] Query Registry – Querying the Windows Registry for information; quotable usage includes: “Query Registry.”
• [T1021] Remote Services – Movement via remote services like RDP/SMB; quotable usage includes: “Remote Services.”
• [T1105] Ingress Tool Transfer – Transfers tools/assets into the environment for execution; quotable usage includes: “Ingress Tool Transfer.”
• [T1071.001] Web Protocols – C2 communications over application layer web protocols; quotable usage includes: “Application Layer Protocol: Web Protocols.”
• [T1048] Exfiltration Over Alternative Protocol – Data exfiltration over non-standard channels; quotable usage includes: “Exfiltration Over Alternative Protocol.”
• [T1489] Service Stop – Impact tactic by stopping services to hinder operations; quotable usage includes: “Service Stop.”