MedusaLocker Ransomware Detection: Federal Authorities Release a Joint CSA

MedusaLocker ransomware first surfaced in September 2019 and has been impacting a wide range of industries and organizations, primarily in healthcare, ever since.

Assuming how adversaries divide the ransom money, MedusaLocker appears to be run as a RaaS. Sources claimed that payments for ransomware seem to be divided between the affiliate and the developer, with the former getting the bigger сut.

In the recent attack wave, the MedusaLocker threat group launched campaigns sending out unsolicited malicious emails as well as RDP brute force attacks to break into target networks. Then followed the encryption of the compromised data and the ransom note instructing further steps, including the ransom payment in cryptocurrency (Bitcoin).

Detect MedusaLocker Ransomware

To help organizations detect malicious activity related to MedusaLocker, the SOC Prime’s Detection as Code platform’s new and existing users can download dedicated Sigma rules created by our Threat Bounty developer, Nattatorn Chuensangarun:

Detection Content for MedusaLocker Ransomware

The dedicated rule kit is available for the 25+ SIEM, EDR & XDR platforms, aligned with the MITRE ATT&CK® framework v.10.

The Detect & Hunt button will take you to the repository of detections associated with ransomware attacks. SOC Prime’s library is constantly updated with new content, empowered by the collaborative cyber defense approach and enabled by Follow the Sun (FTS) model to ensure timely delivery of detections for critical threats as a response to the massive boom in the number of ransomware occurrences. Click the Explore Threat Context button to access detections related to MedusaLocker ransomware using SOC Prime’s search engine for Threat Detection, Threat Hunting, and CTI.

Detect & Hunt Explore Threat Context

MedusaLocker Ransomware Analysis

FBI, CISA, FinCEN, and the Department of the Treasury, have released a joint cybersecurity advisory (CSA) regarding the MedusaLocker ransomware group’s activity ramp-up. The CSA details the latest attacks launched by the MedusaLocker actors in late Spring 2022. According to the advisory, hackers employ such initial infection vectors as social engineering (malspam and phishing campaigns) and exploitation of vulnerabilities in Remote Desktop Protocol (RDP).

Once attackers have acquired initial access, a PowerShell script that spreads the ransomware over the network is run using a batch file. In order to remain undetected, MedusaLocker kills all security processes before encrypting files that are not essential for the breached device to operate. As a result of infection, all shadow copies and local backups are removed as well as start-up system restore options are terminated.

Victims are left with a ransom note, urging the ransom payment in Bitcoin to reclaim access to their data and systems.

Got high-flying ambitions in cybersecurity? Join the Threat Bounty Program to become part of the world’s largest community of cyber defenders and help us transform threat hunting and detection worldwide. Create and share your Sigma and YARA rules, get recurring monetary rewards, and join the fight in combating current and evolving threats with SOC Prime!