Threat Research

Increase In MedusaLocker Ransomware Victims – Cyble

Securonix

MedusaLocker ransomware operates via RDP vulnerabilities and phishing, evolving into a RaaS model where developers and affiliates share profits from encrypted victims. It targets healthcare, education, and government sectors worldwide, using a sophisticated chain of persistence, privilege escalation, and data-encryption techniques to maximize impact. #MedusaLocker #RaaS #RDP #CMSTP #SHEmptyRecycleBinW #UACBypass #AES256 #RSA

Keypoints

  • MedusaLocker gains initial access primarily through vulnerable Remote Desktop Protocol (RDP) configurations and uses phishing/spear-phishing in campaigns.
  • It operates under a Ransomware-as-a-Service (RaaS) model, with developers and affiliates sharing profits after successful operations.
  • The gang targets hospitals/healthcare, education, and government sectors, with the USA being the largest victim hotspot and victims spread across continents.
  • Technical workflow includes mutex creation, admin-privilege checks, UAC bypass via CMSTP, registry-based UAC suppression, and persistence via AppData placement and scheduled tasks.
  • It performs network discovery and propagation (ICMP checks, SMB share enumeration, and lateral movement to shared resources) while terminating defenses and deleting backups to hinder recovery.
  • Encryption uses AES-256 with a private key protected by an embedded RSA public key; a ransom note and a unique victim ID are provided for negotiations.

MITRE Techniques

  • [T1133] External Remote Services – MedusaLocker gains initial access via vulnerable RDP configurations. “gains initial access to the victim’s device through vulnerable Remote Desktop Protocol (RDP) configurations.”
  • [T1566] Phishing – Campaigns use phishing and spear phishing emails to target victims. “The TAs also use phishing and spear phishing emails in their campaigns to target possible victims.”
  • [T1053.005] Scheduled Task/Job: Scheduled Task – Persistence via a scheduled task launched every 15 minutes. “creates a Schedule Task entry in the system and launches itself every 15 minutes for an indefinite period.”
  • [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control – Privilege escalation by bypassing UAC to obtain elevated rights. “employs a User Account Control (UAC) bypass technique to restart itself with elevated privileges.”
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Defense evasion by disabling UAC prompts and modifying registry settings. “disables the UAC prompt… modifies the ‘EnableLUA’ registry value… to ‘0’… If the registry modification fails, the ransomware changes the ‘ConsentPromptBehaviorAdmin’ registry value to ‘0’.”
  • [T1135] Network Share Discovery – Discovery by scanning for SMB shares and listing them. “After enumeration, the ransomware scans for SMB shares connected to the system. It creates a list of SMB shares, excluding any hidden shares…”
  • [T1021.002] SMB/Windows Admin Shares – Lateral movement through shared resources to infect other systems. “Eventually, the ransomware propagates to all shared resources and proceeds to infect other connected systems within the network.”
  • [T1490] Inhibit System Recovery – Impact by deleting backups and disabling recovery mechanisms. “The Ransomware now utilizes inbuilt tools to delete the backups from the victim’s system… SHEmptyRecycleBinW() API to clear the Recycle Bin.”
  • [T1082] System Information Discovery – Discovery by enumerating system drives/volumes. “System Volume Enumeration: The ransomware enumerates all the logical drives in the system…”
  • [T1562.004] Impair Defenses: Disable Security Tools (extended) – Stopping antivirus and related services to avoid detection. “terminates various running services, including antivirus, database, and other utility services… hardcoded list of services…”

Indicators of Compromise

  • [Hash] SHA-256 context – MedusaLocker Executable – 1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f, and 22 more hashes
  • [Hash] SHA-256 context – MedusaLocker Executable – 28ec152fadc5119c31f1fc984735b324, and 22 more hashes

Read more: https://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/