The Department of the Treasury, Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Financial Crimes Enforcement Network (FinCEN) have released a joint cybersecurity warning regarding the MedusaLocker ransomware.
The MedusaLocker threat group seems to work as a ransomware-as-a-service operation and recruits affiliates to carry out the attacks for about 55 to 60% of any ransom payments they make. MedusaLocker was initially identified in September 2019 and used for attacking a wide selection of targets in the U.S.A.
As soon as getting access to victims’ networks, a batch file is employed to execute a PowerShell script which spreads MedusaLocker all through the network. This is accomplished by changing the EnableLinkedConnections value inside the attacked machine’s registry, which then enables the infected machine to identify connected hosts and networks through Internet Control Message Protocol (ICMP) and find shared storage using Server Message Block (SMB) Protocol.
MedusaLocker will end the accounting, security, and forensic software program, restart the machine using safe mode to stop the security application from finding the ransomware and then encrypt the files. All files are encrypted aside from those that are crucial to the use of the victims’ systems. Usually, the ransomware also deletes local backups and shadow copies, and disables start-up recovery functions.
A number of vectors are utilized to obtain preliminary access to systems, which include spam and phishing email campaigns, with certain campaigns making the ransomware payload directly linked to emails; nevertheless, undoubtedly the most often-used means of attack is using vulnerable Remote Desktop Protocol (RDP) settings.
Indicators of Compromise (IoCs) distributed together with IP addresses, email addresses, Bitcoin wallet addresses, and TOR addresses are recognized to be employed by the group. A number of mitigations were recommended, the most essential of which include at first remediating recognized vulnerabilities, allowing and using multifactor authentication, and giving training to staff to enable them to recognize and stay away from phishing attempts.