CISA Alert AA22-181A – #StopRansomware: MedusaLocker.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Two tack One Eight One Alpha.

​​Original release date: June Thirtieth, twenty twenty two.

CISA, the FBI, the Department of the Treasury, and the Financial Crimes Enforcement Network are releasing this alert to provide information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol to access victims’ networks. The MedusaLocker actors encrypt the victim's data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service model based on the observed split of ransom payments. Typical Ransomware-as-a-Service models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems.

MedusaLocker ransomware actors most often gain access to victim devices through vulnerable Remote Desktop Protocol configurations. Actors also frequently use email phishing and spam email campaigns—directly attaching the ransomware to the email—as initial intrusion vectors.

MedusaLocker ransomware uses a batch file to execute a malicious PowerShell script. This script propagates MedusaLocker throughout the network by editing the EnableLinkedConnections value within the infected machine’s registry, which then allows the infected machine to detect attached hosts and networks via Internet Control Message Protocol and to detect shared storage via Server Message Block Protocol.

The resources linked in the show notes include indicators of compromise, a full MITRE ATT&CK mapping of the MedusaLocker TTPs, and mitigation actions. 

This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures and indicators of compromise to help organizations protect against ransomware. Visit stopransomware.gov for free resources and to learn more about other ransomware threats.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.