FBI and CISA warning: This ransomware uses RDP vulnerabilities to break into networks
Several US law enforcement agencies have shone the spotlight on MedusaLocker, a ransomware gang that has taken care of the pandemic by hitting healthcare organizations.
MedusaLocker first appeared in 2019 and has been a problem ever since, ramping up activity during the early stages of the pandemic to maximize profits.
While Medusa today isn’t as prolific as the Conti and Lockbit RaaS networks, MedusaLocker has caused its fair share of problems, being one of many threats that has led Microsoft to warn healthcare operators to fix the dots. VPN termination and configure Remote Desktop Protocol (RDP) securely.
SEE: Ransomware attacks: This is the data cybercriminals really want to steal
In Q1 2020, MedusaLocker was one of the top ransomware payloads along with RobbinHood, Maze, PonyFinal, Valet loader, REvil, RagnarLocker, and LockBit, according to Microsoft.
In May 2022, Medusa was observed primarily exploiting vulnerable RDP configurations to access victims’ networks, according to a new Joint Cybersecurity Advisory (CSA) the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Treasury and the Financial Crimes Enforcement Network (FinCEN).
The notice is part of CISA #StopRansomware collection of ransomware resources.
“MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed distribution of ransom payments,” CSA notes.
RaaS models involve the combined efforts of the ransomware developer and various affiliates, such as access brokers who gain initial access and other actors who deploy the ransomware to victim systems.
“MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55-60% of the ransom, and the developer, who receives the rest,” notes the CSA.
On a technical level, once MedusaLocker actors gain initial access, MedusaLocker deploys a PowerShell script to spread the ransomware to the network by modifying the machine’s registry to detect connected hosts and networks, and using the SMB file sharing protocol to detect attached storage.
MedusaLocker attackers place a ransom note in every folder containing a file containing the victim’s encrypted data, according to the CSA.
Key actions of MedusaLocker after it is released to a network include:
- Restarts the LanmanWorkstation service, allowing registry changes to take effect
- Kills processes of well-known security, accounting and forensic software
- Restarts the machine in safe mode to avoid detection by security software
- Encrypts victim files with AES-256 encryption algorithm; the resulting key is then encrypted with an RSA-2048 public key
- Runs every 60 seconds, encrypting all files except those critical to the functionality of the victim’s machine and those with the designated encrypted file extension
- Establishes persistence by scheduling a task to run the ransomware every 15 minutes.
- Attempts to prevent standard recovery techniques by deleting local backups, disabling startup recovery options, and deleting shadow copies
These attacks can be protected against. Mitigation measures recommended by the agencies include:
- Implement a recovery plan that maintains and retains multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location
- Implement network segmentation and maintain offline backups of data
- Back up data regularly and password protect backup copies stored offline. Ensure that copies of critical data are not accessible for modification or deletion from the system