Increase In MedusaLocker Ransomware Victims – Cyble

MedusaLocker ransomware has been active since September 2019. MedusaLocker actors typically gain access to victims’ networks by exploiting vulnerabilities in Remote Desktop Protocol (RDP).

Once Threat Actors (TAs) gain access to the network, they encrypt the victim’s data and leave a ransom note with instructions on how victims can communicate with the TAs in every folder while encrypting files. The ransom note tells victims to make a ransom payment to TA’s crypto wallet address.

MedusaLocker appears to work on Ransomware-as-a-Service (RaaS) model, which allows cybercriminals to rent the ransomware and its services from the developer. In the RaaS model, ransomware operators develop the ransomware and a Command and Control panel which is then used by the affiliates to launch ransomware attacks on the targets selected by their affiliates. After a successful operation, the ransomware operators and affiliates divide the ransom extorted from victims.

Figure 1 illustrates the countries that have been targeted by the ransomware group since January 2023, with a total of 24 victims worldwide.

Map Showing Target Countries of MedusaLocker
Figure 1 – Map Showing Targets of MedusaLocker

MedusaLocker ransomware gang is known to target Hospital and Healthcare industries, but additionally, the gang also targets industries such as Education and Government organizations.

The figure below shows the industries targeted by the MedusaLocker Ransomware.

Industries Targeted by MedusaLocker
Figure 2 – Industries Targeted by MedusaLocker

The United States of America is the biggest target for all ransomware groups; MedusaLocker also follows this trend, where the largest numbers of the victims are from the United States of America.

However, victims of MedusaLocker ransomware are scattered across all continents, excluding Antarctica. The figure below shows the countries of the affected targets.

Countries Targeted by MedusaLocker
Figure 3 – Countries Targeted by MedusaLocker

Technical Details

According to CISA, the MedusaLocker ransomware group gains initial access to the victim’s device through vulnerable Remote Desktop Protocol (RDP) configurations. The TAs also use phishing and spear phishing emails in their campaigns to target possible victims.

The malware sample we have identified is a 32-bit Graphical User Interface (GUI) based executable compiled with Microsoft Visual C/C++, with a SHA 256 hash of “1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f” (shown in the figure below).

We will be performing an analysis of this ransomware executable to gain insights into its operations.

MedusaLocker File Details
Figure 4 – MedusaLocker File Details

Mutex Creation:

Upon execution, the MedusaLocker creates a mutex, or mutual exclusion object, as a locking mechanism to prevent two threads from writing to shared memory simultaneously and to avoid reinfection of the victim.

The name of the mutex is “8761ABBD-7F85-42EE-B272-A76179687C63”. It is hardcoded into the binary, as shown in the figure below.

MedusaLocker Creating Mutex
Figure 5 – MedusaLocker Creating Mutex

Checking for Administrative Privileges:

After acquiring the mutex, the ransomware checks for the privilege of its running process. MedusaLocker requires administrative privileges in order to carry out its malicious operations without any restrictions. To determine the current privileges, the ransomware checks its own memory for a process token.

To do this, it obtains the current process and then extracts the token information from the process memory using the GetTokenInformation() function. The code for checking the process’s privileges is shown in the figure below.

MedusaLocker Checking for Admin Privileges
Figure 6 – MedusaLocker Checking for Admin Privileges

Privilege Escalation:

The ransomware checks whether the process is currently running with administrative privileges. If the process is not running with admin privileges, the ransomware employs a User Account Control (UAC) bypass technique to restart itself with elevated privileges.

This technique uses the Microsoft Connection Manager Profile Installer (CMSTP.exe), a command-line program to install Connection Manager service profiles. CMSTP is used to execute malicious code by routing it through a proxy server.

An illustration of this technique is shown in the figure below.

MedusaLocker Performing Privilege Escalation
Figure 7 – MedusaLocker Performing Privilege Escalation

Disabling UAC Prompt:

The ransomware then attempts to disable the UAC prompt so that the system will not prompt for authentication. To do this, it modifies the “EnableLUA” registry value located at SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem to “0”. This stops UAC prompts if the process requires higher privileges to execute.

If the registry modification fails, the ransomware changes the “ConsentPromptBehaviorAdmin” registry value to “0”, allowing it to perform operations that require elevation without consent or credentials.

The code to disable the UAC prompt is shown in the figure below.

MedusaLocker Disabling UAC Prompt
Figure 8 – MedusaLocker Disabling UAC Prompt

Marking the Infected System:

After disabling the UAC prompt, MedusaLocker marks the infected system with the registry key. MedusaLocker creates a value “Self” in the registry key HKEY_CURRENT_USERSOFTWAREMDSLK and sets the data as “svchost.exe” to the registry value, indicating that the system has already been infected by the MedusaLocker ransomware.

The figure below shows the registry entry.

MedusaLocker creating registry marker
Figure 9 – MedusaLocker creating registry marker

Cryptor Initialization:

The ransomware now initializes Cryptor, which performs AES-256 encryption on the victim’s files at a later stage. MedusaLocker ransomware contains an embedded public key which is encoded with Base64 and used to initialize the Cryptor.

The figure below shows the Base64 string.

MedusaLocker Initializing Encryption
Figure 10 – MedusaLocker Initializing Encryption

Persistence:

Now, the ransomware achieves persistence on the victim’s system by dropping itself into the “AppData” folder as “svhost.exe”. The figure below shows the ransomware code to drop itself in the AppData Folder.

MedusaLocker dropping itself in AppData Folder
Figure 11 – MedusaLocker dropping itself in AppData Folder

Additionally, the MedusaLocker Ransomware creates a Schedule Task entry in the system and launches itself every 15 minutes for an indefinite period.

The figure below shows the Schedule Task entry of the MedusaLocker Ransomware.

MedusaLocker Creating Scheduled Task Entry
Figure 12 – MedusaLocker Creating Scheduled Task Entry

System Volume Enumeration:

After persistence, the ransomware enumerates all the logical drives in the system for further operations. The figure below shows the malware’s routine for Enumerating Volumes in the system using the FindNextVolumeW() API.

MedusaLocker Enumerating the Volume Drives
Figure 13 – MedusaLocker Enumerating the Volume Drives

Stopping Services:

To avoid detection and ensure efficient encryption on the victim’s machine, the MedusaLocker Ransomware also terminates various running services, including antivirus, database, and other utility services. This is done through a hardcoded list of services checked by the ransomware using the QueryServiceStatusEx() function. If any of the hardcoded services are found running, they are stopped using CloseServiceHandle().

The figure below shows the routine for stopping services.

MedusaLocker Stopping Services
Figure 14 – MedusaLocker Stopping Services

The following table shows the targeted services:

Defwatch ccEvtMgr ccSetMgr SavRoam
sqlagent Sqladhlp Culserver RTVscan
SQLADHLP QBIDPService Intuit.QuickBooks.FCS QBCFMonitorService
sqlservr sqlbrowser Sqlwriter msmdsrv
tomcat6 zhudongfangyu SQLADHLP vmware-usbarbitator64
vmware-converter dbsrv12 dbeng8  

Process Termination:

After killing the predefined services, the ransomware enumerates the running processes using the CreateToolhelp32Snapshot() function and then terminates the relevant process using the TerminateProcess() function.

This is done by checking a hardcoded list of processes identified as being related to antivirus, databases, and other utility programs. After the processes have been identified, the ransomware will terminate them to prevent any interference with the encryption process.

The figure below shows the routine used to terminate the relevant processes.

MedusaLocker Terminating Processes
Figure 15 – MedusaLocker Terminating Processes

The processes targeted by the MedusaLocker ransomware are as follows:

wxServer.exe wxServerView sqlservr.exe sqlmangr.exe
RAgui.exe supervise.exe Culture.exe RTVscan.exe
Defwatch.exe sqlbrowser.exe winword.exe QBW32.exe
QBDBMgr.exe qbupdate.exe QBCFMonitorService.exe axlbridge.exe
QBIDPService.exe httpd.exe fdlauncher.exe MsDtSrvr.exe
tomcat6.exe java.exe 360se.exe 360doctor.exe
wdswfsafe.exe fdlauncher.exe fdhost.exe GDscan.exe
ZhuDongFangYu.exe      

Disabling Data Recovery:

The Ransomware now utilizes inbuilt tools to delete the backups from the victim’s system. It runs the command prompt and executes commands that remove the shadow copies and system backups, making it impossible to recover the data from the infected system. As a result, the victim is compelled to pay the ransom in order to regain access to their data.

The figure below shows the commands executed by the MedusaLocker.

MedusaLocker Removing the Backup from the victim’s system
Figure 16 – MedusaLocker Removing the Backup from the victim’s system

Additionally, the ransomware executes the SHEmptyRecycleBinW() API to clear the Recycle Bin, effectively obstructing the victim’s ability to restore any deleted files. The code for this is shown in the figure below.

MedusaLocker Emptying the Recycle Bin
Figure 17 – MedusaLocker Emptying the Recycle Bin

Excluding Folders from Encryption:

After impairing data recovery, the ransomware creates a list of folders to exclude from encryption. This ensures that the important executables and temporary files used for normal operations are not encrypted while data files are still encrypted.

The figure below shows the code for the excluded file paths.

MedusaLocker Excluding Important Folders
Figure 18 – MedusaLocker Excluding Important Folders

Data Encryption:

The ransomware now begins encrypting the files in the victim’s machine. The data is encrypted using the AES 256 encryption algorithm, with the encryption key further encrypted by the RSA public key embedded in the ransomware. Without the private key, it is impossible to decrypt the AES key.

The figure below shows the code to encrypt the files.

MedusaLocker’s Encryption Routine
Figure 19 – MedusaLocker’s Encryption Routine

When encrypting each file, the ransomware leaves a ransom note in the folder and adds the extension ‘itlock4’. It also excludes multiple file extensions such as .exe, .dll, .sys, .ini, .rdp, etc. files from encryption.

The figure below shows the encrypted files and ransom note.

MedusaLocker Ransom note and Encrypted Files
Figure 20 – MedusaLocker Ransom note and Encrypted Files

In the end, MedusaLocker Ransomware presents the ransom note to its victims. The ransom note includes a personal ID for the victim’s identification and a Tor contact page to facilitate negotiations and decrypt sample files.

The figure below shows the ransom note of MedusaLocker.

Ransom note Dropped by the MedusaLocker Ransomware
Figure 21 – Ransom note Dropped by the MedusaLocker Ransomware

Network Activities:

The MedusaLocker checks the active network adaptor and uses Internet Control Message Protocol (ICMP) to scan for all connected systems.

The figure below depicts the ransomware using ICMP to scan for connected systems.

MedusaLocker Enumerating the Network using ICMP Protocol
Figure 22 – MedusaLocker Enumerating the Network using ICMP Protocol

After enumeration, the ransomware scans for SMB shares connected to the system. It creates a list of SMB shares, excluding any hidden shares indicated by a name starting with “$”.

The code for this scanning process is shown in the figure below.

MedusaLocker enumerating the SMB Shares
Figure 23 – MedusaLocker enumerating the SMB Shares

Eventually, the ransomware propagates to all shared resources and proceeds to infect other connected systems within the network.

Conclusion

MedusaLocker ransomware is a highly sophisticated form of malicious software that can potentially cause severe data losses and financial losses for its victims. This advanced ransomware is difficult to detect and stop, and its encryption algorithms are extremely difficult to break.

There have been numerous cyber attacks in a short period of time, targeting all kinds of industries and geographic locations. More cyber attacks from the MedusaLocker Ransomware are expected to occur in the future.

Our Recommendations

The following essential cybersecurity best practices create the first line of control against attackers. We recommend that our readers follow the best practices as given below:

  • Frequent Audits, Vulnerability Assessments, and Penetration Testing of organizational assets, including network and software.
  • Monitor incoming emails from suspicious and potentially malicious domains.
  • Back-up data on different locations and implement  Business Continuity Planning (BCP). Keeping the Backup Servers isolated from the infrastructure helps fast data recovery.
  • Enforcement of VPN to safeguard endpoints.
  • Conduct frequent training on security awareness for the company’s employees to inform them about emerging threats.
  • Implementation of technology to understand the behavior of the ransomware-malware families and variants to block malicious payloads and counter potential attacks.

See Cyble Vision in Action

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name
Initial Access T1133
T1566
External Remote Services
Phishing
Persistence T1053.005   Scheduled Task/Job: Scheduled Task
Privilege Escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
Defense Evasion T1562.001 Impair Defenses: Disable or Modify Tools
Discovery T1135 Network Share Discovery
Impact T1486 Data Encrypted for Impact

Indicators of Compromise (IOCs)

Indicators Indicator Type Description
3618b68d7db4614ec8d33b5052cc0e85
15177fbb65d707b308bac50f612b795494314001
1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f
MD5
SHA1
SHA256
MedusaLocker Executable
28ec152fadc5119c31f1fc984735b324
48e24f5c2c7572ed29a0e58b02e596f0638bc1f6
3e22df5e41df76a46ab360be05fe0ee5c336c84fd55db7763fe4e214dca194b4
MD5
SHA1
SHA256
MedusaLocker Executable
d9fa435d704caebc54408e03227f0044
0f36dff0f1beaf57d68b12fa0234853638c1c6f0
8724e513ca2b4ce055bb846220e57c2ab622f296bf7a768393a701319d3eac70
MD5
SHA1
SHA256
MedusaLocker Executable
2979ed84c4ca3deb2924bd1f26bf88bd
8f01f9112904389e0b53a25506ef69f99cc0fa1b
bcf49e8f493c9eff83d9bc891e91dc91777f02b4f176e44b20f9a2d651f20fc3
MD5
SHA1
SHA256
MedusaLocker Executable
2316091f02153ac20dff768513aae1a4
6b7b1017b9313ab87fccf4ea08a427c1499b89dc
940bddbc6ef19b211f2022d61bf4d006969da11f9fe0beba98586e554dfcc741
MD5
SHA1
SHA256
MedusaLocker Executable
3618b68d7db4614ec8d33b5052cc0e85
15177fbb65d707b308bac50f612b795494314001
1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f
MD5
SHA1
SHA256
MedusaLocker Executable
e03fa1e0dd3dc0fb6960e76219ddf86c
c92fd297256aa8d70607e33188b91442208aaeb3
0a758a922bdaacc08a84a62881eeb0f17075058ecf7329cbc10a9bfe1fba0814
MD5
SHA1
SHA256
MedusaLocker Executable
168447d837fc71deeee9f6c15e22d4f4
80ad29680cb8cecf58d870ee675b155fc616097f
add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b
MD5
SHA1
SHA256
MedusaLocker Executable
57ee7ef00e009c4048d78406b3dca5b7
81467ca16e87dfacd9c965f105fb5b30548f1ded e0221e692fa3476cb2d862c1aee07f3e87d83411ef9a534fdf8d20efbaee0394
MD5
SHA1
SHA256
MedusaLocker Executable
aa82e62207615d2f227ce9a0e488b912
d9390b6c1478970a9e7b8a3fe854a42efdc582f6 79e009e12ba6d60665faf5bdd523d80f0fe6be28694914cf0fa64929b4052e67
MD5
SHA1
SHA256
MedusaLocker Executable

Source: https://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/