Keypoints
- Creates a Mutex on startup to prevent multiple instances and checks for administrative privileges.
- Attempts UAC bypass to elevate privileges when not running as admin.
- Establishes persistence by copying the payload to %AppData%Roaming as svhost.exe or svchostt.exe and adding a registry entry under HKEY_CURRENT_USERSOFTWAREMDSLK.
- Stops and terminates a hardcoded list of services and processes (including SQL and backup/AV services) to disable defenses and file access.
- Deletes shadow copies and runs hardcoded system commands to inhibit system recovery.
- Encrypts files using AES-256 for file content and encrypts the AES key with an embedded RSA public key; encrypted files are given an “L54” extension.
- Enumerates logical drives and network shares (via GetLogicalDrives and NetShareEnum) to encrypt local and networked files and propagate across the LAN.
MITRE Techniques
- [T1548.002] Abuse Elevation Control Mechanism – Bypass UAC to attain elevated privileges: [’employs a User Account Control (UAC) bypass technique to attain elevated privileges.’]
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence via copying payload to %AppData%Roaming and registry entry: [‘duplicates its malicious executable as either “svhost.exe” or “svchostt.exe” within the user’s roaming application data directory (%AppData%Roaming)’]
- [T1489] Service Stop – Stops specific hardcoded services to disable defenses using service APIs: [‘stops them using the CloseServiceHandle()’]
- [T1490] Inhibit System Recovery – Removes backups and shadow copies using hardcoded commands: [‘uses hardcoded commands to remove backups, delete the shadow copy’]
- [T1083] File and Directory Discovery – Enumerates drives and file system targets before encryption: [‘tries to retrieve the logical drives using the API call GetLogicalDrives to encrypt the system.’]
- [T1082] System Information Discovery – Checks administrative privileges and inspects system state: [‘checks to determine whether the current process runs with administrative privileges.’]
- [T1486] Data Encrypted for Impact – Encrypts victim files with AES-256 and protects AES keys with an embedded RSA public key: [‘MedusaLocker employs AES and RSA encryption techniques to encrypt victims’ data.’]
- [T1135] Network Share Discovery – Uses NetShareEnum to enumerate and process network shares for lateral propagation: [‘uses Windows Network API NetShareEnum to enumerate network share.’]
Indicators of Compromise
- [File Hashes] Malware samples – 6da9c76a6e319c17f1d39e0ae2eaf2af, 4ef811b784b985769645e03bc0b9cd24, and 61b0906f31ce772130b0ee9c4b86dc92
- [Filenames] Persistence/dropper names – svhost.exe, svchostt.exe
- [Registry Key] Persistence marker – HKEY_CURRENT_USERSOFTWAREMDSLK
- [File Extension] Encrypted files – *.L54 (encrypted file extension shown)
MedusaLocker initiates by checking for a Mutex and creating one if absent, then verifies administrative privileges and attempts a UAC bypass when needed. It writes a registry key under HKEY_CURRENT_USERSOFTWAREMDSLK and copies its executable into %AppData%Roaming (as svhost.exe or svchostt.exe) to ensure persistence across logons.
Before encrypting data, the ransomware enumerates running services and processes against hardcoded lists, stopping services via service control APIs and terminating processes with TerminateProcess to disable backups, databases, and security software. It executes hardcoded system commands to remove shadow copies and other recovery artifacts.
For encryption and spread, MedusaLocker enumerates logical drives (GetLogicalDrives) and iterates file systems while excluding certain file types, encrypting files with AES-256 and then encrypting the AES key with an embedded RSA public key; encrypted files receive an “L54” extension. It also enumerates network shares using NetShareEnum to locate and encrypt files on reachable networked hosts, and drops an HTML ransom note containing the victim ID and attacker contact information.