Alarming increase in MedusaLocker Ransomware Victims
MedusaLocker ransomware has been active since September 2019. MedusaLocker actors typically gain access to victims’ networks by exploiting vulnerabilities in Remote Desktop Protocol (RDP).
Once Threat Actors (TAs) gain access to the network, they encrypt the victim’s data and leave a ransom note with instructions on how victims can communicate with the TAs in every folder while encrypting files. The ransom note tells victims to make a ransom payment to TA’s crypto wallet address.
MedusaLocker appears to work on Ransomware-as-a-Service (RaaS) model, which allows cybercriminals to rent the ransomware and its services from the developer. In the RaaS model, ransomware operators develop the ransomware and a Command and Control panel which is then used by the affiliates to launch ransomware attacks on the targets selected by their affiliates. After a successful operation, the ransomware operators and affiliates divide the ransom extorted from victims.
Figure 1 illustrates the countries that have been targeted by the ransomware group since January 2023, with a total of 24 victims worldwide.
MedusaLocker ransomware gang is known to target Hospital and Healthcare industries, but additionally, the gang also targets industries such as Education and Government organizations.
The figure below shows the industries targeted by the MedusaLocker Ransomware.
The United States of America is the biggest target for all ransomware groups; MedusaLocker also follows this trend, where the largest numbers of the victims are from the United States of America.
However, victims of MedusaLocker ransomware are scattered across all continents, excluding Antarctica. The figure below shows the countries of the affected targets.
According to CISA, the MedusaLocker ransomware group gains initial access to the victim’s device through vulnerable Remote Desktop Protocol (RDP) configurations. The TAs also use phishing and spear phishing emails in their campaigns to target possible victims.
The malware sample we have identified is a 32-bit Graphical User Interface (GUI) based executable compiled with Microsoft Visual C/C++, with a SHA 256 hash of “1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f” (shown in the figure below).
We will be performing an analysis of this ransomware executable to gain insights into its operations.
Upon execution, the MedusaLocker creates a mutex, or mutual exclusion object, as a locking mechanism to prevent two threads from writing to shared memory simultaneously and to avoid reinfection of the victim.
The name of the mutex is “8761ABBD-7F85-42EE-B272-A76179687C63”. It is hardcoded into the binary, as shown in the figure below.
Checking for Administrative Privileges:
After acquiring the mutex, the ransomware checks for the privilege of its running process. MedusaLocker requires administrative privileges in order to carry out its malicious operations without any restrictions. To determine the current privileges, the ransomware checks its own memory for a process token.
To do this, it obtains the current process and then extracts the token information from the process memory using the GetTokenInformation() function. The code for checking the process’s privileges is shown in the figure below.
The ransomware checks whether the process is currently running with administrative privileges. If the process is not running with admin privileges, the ransomware employs a User Account Control (UAC) bypass technique to restart itself with elevated privileges.
This technique uses the Microsoft Connection Manager Profile Installer (CMSTP.exe), a command-line program to install Connection Manager service profiles. CMSTP is used to execute malicious code by routing it through a proxy server.
An illustration of this technique is shown in the figure below.
Disabling UAC Prompt:
The ransomware then attempts to disable the UAC prompt so that the system will not prompt for authentication. To do this, it modifies the “EnableLUA” registry value located at SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System to “0”. This stops UAC prompts if the process requires higher privileges to execute.
If the registry modification fails, the ransomware changes the “ConsentPromptBehaviorAdmin” registry value to “0”, allowing it to perform operations that require elevation without consent or credentials.
The code to disable the UAC prompt is shown in the figure below.
Marking the Infected System:
After disabling the UAC prompt, MedusaLocker marks the infected system with the registry key. MedusaLocker creates a value “Self” in the registry key HKEY_CURRENT_USER\SOFTWARE\MDSLK\ and sets the data as “svchost.exe” to the registry value, indicating that the system has already been infected by the MedusaLocker ransomware.
The figure below shows the registry entry.
The ransomware now initializes Cryptor, which performs AES-256 encryption on the victim’s files at a later stage. MedusaLocker ransomware contains an embedded public key which is encoded with Base64 and used to initialize the Cryptor.
The figure below shows the Base64 string.
Now, the ransomware achieves persistence on the victim’s system by dropping itself into the “AppData” folder as “svhost.exe”. The figure below shows the ransomware code to drop itself in the AppData Folder.
Additionally, the MedusaLocker Ransomware creates a Schedule Task entry in the system and launches itself every 15 minutes for an indefinite period.
The figure below shows the Schedule Task entry of the MedusaLocker Ransomware.
System Volume Enumeration:
After persistence, the ransomware enumerates all the logical drives in the system for further operations. The figure below shows the malware’s routine for Enumerating Volumes in the system using the FindNextVolumeW() API.
To avoid detection and ensure efficient encryption on the victim’s machine, the MedusaLocker Ransomware also terminates various running services, including antivirus, database, and other utility services. This is done through a hardcoded list of services checked by the ransomware using the QueryServiceStatusEx() function. If any of the hardcoded services are found running, they are stopped using CloseServiceHandle().
The figure below shows the routine for stopping services.
The following table shows the targeted services
After killing the predefined services, the ransomware enumerates the running processes using the CreateToolhelp32Snapshot() function and then terminates the relevant process using the TerminateProcess() function.
This is done by checking a hardcoded list of processes identified as being related to antivirus, databases, and other utility programs. After the processes have been identified, the ransomware will terminate them to prevent any interference with the encryption process.
The figure below shows the routine used to terminate the relevant processes.
The processes targeted by the MedusaLocker ransomware are as follows:
Disabling Data Recovery:
The Ransomware now utilizes inbuilt tools to delete the backups from the victim’s system. It runs the command prompt and executes commands that remove the shadow copies and system backups, making it impossible to recover the data from the infected system. As a result, the victim is compelled to pay the ransom in order to regain access to their data.
The figure below shows the commands executed by the MedusaLocker.
Additionally, the ransomware executes the SHEmptyRecycleBinW() API to clear the Recycle Bin, effectively obstructing the victim’s ability to restore any deleted files. The code for this is shown in the figure below.
Excluding Folders from Encryption:
After impairing data recovery, the ransomware creates a list of folders to exclude from encryption. This ensures that the important executables and temporary files used for normal operations are not encrypted while data files are still encrypted.
The figure below shows the code for the excluded file paths.
The ransomware now begins encrypting the files in the victim’s machine. The data is encrypted using the AES 256 encryption algorithm, with the encryption key further encrypted by the RSA public key embedded in the ransomware. Without the private key, it is impossible to decrypt the AES key.
The figure below shows the code to encrypt the files.
When encrypting each file, the ransomware leaves a ransom note in the folder and adds the extension ‘itlock4’. It also excludes multiple file extensions such as .exe, .dll, .sys, .ini, .rdp, etc. files from encryption.
The figure below shows the encrypted files and ransom note.
In the end, MedusaLocker Ransomware presents the ransom note to its victims. The ransom note includes a personal ID for the victim’s identification and a Tor contact page to facilitate negotiations and decrypt sample files.
The figure below shows the ransom note of MedusaLocker.
The MedusaLocker checks the active network adaptor and uses Internet Control Message Protocol (ICMP) to scan for all connected systems.
The figure below depicts the ransomware using ICMP to scan for connected systems.
After enumeration, the ransomware scans for SMB shares connected to the system. It creates a list of SMB shares, excluding any hidden shares indicated by a name starting with “$”.
The code for this scanning process is shown in the figure below.
Eventually, the ransomware propagates to all shared resources and proceeds to infect other connected systems within the network.
MedusaLocker ransomware is a highly sophisticated form of malicious software that can potentially cause severe data losses and financial losses for its victims. This advanced ransomware is difficult to detect and stop, and its encryption algorithms are extremely difficult to break.
There have been numerous attacks in a short period of time, targeting all kinds of industries and geographic locations. More attacks from the MedusaLocker Ransomware are expected to occur in the future.
The following essential cybersecurity best practices create the first line of control against attackers. We recommend that our readers follow the best practices as given below:
- Frequent Audits, Vulnerability Assessments, and Penetration Testing of organizational assets, including network and software.
- Monitor incoming emails from suspicious and potentially malicious domains.
- Back-up data on different locations and implement Business Continuity Planning (BCP). Keeping the Backup Servers isolated from the infrastructure helps fast data recovery.
- Enforcement of VPN to safeguard endpoints.
- Conduct frequent training on security awareness for the company’s employees to inform them about emerging threats.
- Implementation of technology to understand the behavior of the ransomware-malware families and variants to block malicious payloads and counter potential attacks.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Initial Access||T1133 |
|External Remote Services |
|Persistence||T1053.005||Scheduled Task/Job: Scheduled Task|
|Privilege Escalation||T1548.002||Abuse Elevation Control Mechanism: Bypass User Account Control|
|Defense Evasion||T1562.001||Impair Defenses: Disable or Modify Tools|
|Discovery||T1135||Network Share Discovery|
|Impact||T1486||Data Encrypted for Impact|
Indicators of Compromise (IOCs)