Advisory warns of MedusaLocker RaaS-based model that depends upon observed split of ransom payments from buzai232's blog

Advisory warns of MedusaLocker RaaS-based model that depends upon observed split of ransom payments

U.S. agencies issued a joint cybersecurity advisory providing information on the MedusaLocker ransomware, including recent activity observed in May. The hackers predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks, encrypt the victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. To get more news about Robotics as a Service, you can visit glprobotics.com official website.

“MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN), said in the latest advisory. “Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom, and the developer, who receives the remainder,” it added.

MedusaLocker relies predominantly on exploiting unpatched vulnerabilities in Remote Desktop Protocol to gain access to victims’ networks. It also frequently uses email phishing and spam email campaigns, with malware directly attached to the email, as initial intrusion vectors.

The agencies have asked organizations to mitigate cyber threats from ransomware, including prioritizing remediating known exploited vulnerabilities, training users to recognize and report phishing attempts, and enabling and enforcing multifactor authentication (MFA).

The advisory identified that the MedusaLocker ransomware hackers also frequently use email phishing and spam email campaigns, directly attaching the ransomware to the email, as initial intrusion vectors. “MedusaLocker ransomware uses a batch file to execute PowerShell script. This script propagates MedusaLocker throughout the network by editing the value within the infected machine’s registry, which then allows the infected machine to detect attached hosts and networks via Internet Control Message Protocol (ICMP) and to detect shared storage via Server Message Block (SMB) Protocol,” it added.

MedusaLocker “then restarts the LanmanWorkstationservice, which allows registry edits to take effect, kills the processes of well-known security, accounting, and forensic software, and restarts the machine in safe mode to avoid detection by security software. It also encrypts victim files with the AES-256 encryption algorithm; the resulting key is then encrypted with an RSA-2048 public key, and runs every 60 seconds, encrypting all files except those critical to the functionality of the victim’s machine and those that have the designated encrypted file extension.

It also establishes persistence, and attempts to prevent standard recovery techniques by deleting local backups, disabling startup recovery options, and deleting shadow copies, the advisory said.

MedusaLocker actors place a ransom note into every folder containing a file with the victim’s encrypted data, the joint advisory said. “The note outlines how to communicate with the MedusaLocker actors, typically providing victims with one or more email addresses at which the actors can be reached. The size of MedusaLocker ransom demands appears to vary depending on the victim’s financial status as perceived by the actors,” it added.

Some other mitigation techniques involved implementing a recovery plan that maintains and retains multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location. Organizations can also implement network segmentation and maintain offline backups of data to ensure limited interruption, regularly back up data, and password-protect backup copies stored offline.

Additionally, they can install, regularly update, and enable real-time detection for antivirus software on all hosts, and review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.

Commenting on the MedusaLocker ransomware alert, John Riggi, AHA’s National Advisor for Cybersecurity and Risk, said in a statement, “This joint agency advisory contains very detailed and actionable indicators of compromise. The advisory also highlights the danger of unsecured remote desktop protocol and phishing emails as the initial attack vector,” he added.

“The ‘ransomware as a service’ business model used by the MedusaLocker gang facilitates the continuing global proliferation of ransomware — even by relatively unsophisticated cyber actors,” according to Riggi. “It is strongly recommended that organizations continue to emphasize phishing email education for staff, exercise cyber incident response plans, and ensure the segregation and security of network and data backups, among the many helpful risk mitigation recommendations contained in the advisory,” he added.


Previous post     
     Next post
     Blog home

The Wall

No comments
You need to sign in to comment