MedusaLocker Ransomware: An In-Depth Technical Analysis and Prevention Strategies

MITRE Techniques

• [T1112] Modify Registry – It adds the registry key HKEY_CURRENT_USERSOFTWAREMDSLK with the name “self” and data as the application name, designating the system being infected by MDuSaLocker. ‘It adds the registry key HKEY_CURRENT_USERSOFTWAREMDSLK with the name “self” and data as the application name, designating the system being infected by MDuSaLocker.’
• [T1548.002] Bypass User Account Control – If it detects that the process lacks admin privileges, it employs a User Account Control (UAC) bypass technique to attain elevated privileges. ‘If it detects that the process lacks admin privileges, it employs a User Account Control (UAC) bypass technique to attain elevated privileges.’
• [T1486] Data Encrypted for Impact – The ransomware uses AES 256 encryption to lock the victim’s files, creating a unique AES encryption key. This AES key is then encrypted using an embedded RSA public key, resulting in the ciphertext. ‘The ransomware uses AES 256 encryption to lock the victim’s files, creating a unique AES encryption key. This AES key is then encrypted using an embedded RSA public key, resulting in the ciphertext.’
• [T1057] Process Discovery – Ransomware uses CreateToolhelp32Snapshot() to retrieve the running processes. It compares with a predefined list of hardcoded processes. If any of the hardcoded processes are detected as running, the ransomware proceeds to terminate those processes using the TerminateProcess
• [T1489] Service Stop – Like other ransomware, MedusaLocker also terminates specific services by referencing a hardcoded list of services. It compares this list with the currently running services, and if any of the hardcoded services are found to be running, it stops them using the CloseServiceHandle(), as shown in the below fig:
• [T1547.001] Registry Run Keys/Startup Folder – Persistence: Medusa Locker ransomware duplicates its malicious executable as either “svhost.exe” or “svchostt.exe” within the user’s roaming application data directory (%AppData%Roaming) to establish persistence and ensure the malware runs during system start-up, allowing it to continue encrypting files. ‘Persistence: Medusa Locker ransomware duplicates its malicious executable as either “svhost.exe” or “svchostt.exe” within the user’s roaming application data directory (%AppData%Roaming) to establish persistence and ensure the malware runs during system start-up.’
• [T1135] Network Share Discovery – After Encryption, the ransomware uses Windows Network API NetShareEnum to enumerate network share. It processes share names, performs string manipulations, and checks for the presence of “$” in share names. ‘After Encryption, the ransomware uses Windows Network API NetShareEnum to enumerate network share. It processes share names, performs string manipulations, and checks for the presence of “$” in share names.’