The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Treasury, and the Financial Crime Enforcement Network (FinCEN) have issued a joint advisory to highlight a recent activity of MedusaLocker ransomware. 

For the uninitiated, MedusaLocker emerged in 2019 and has since been expanding its attack surface to maximize profits.

What does the advisory say?

  • As of May 2022, the operators of the ransomware are heavily relying on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. Upon execution, the ransomware encrypts the victims’ data and leaves behind a ransom note with instructions to decrypt files.  
  • The note directs victims to a specific Bitcoin wallet address to make the ransomware payment.
  • The advisory notes the affiliate can expect anywhere between 55-60 percent of the ransom payment generated through their actions, and the remaining proceeds go to the operators.

Modus Operandi

  • The initial infection chain process begins with phishing emails that include exploits for vulnerable RDP.
  • Once the actors have gained initial access, a PowerShell script is deployed to propagate the ransomware throughout the network. 
  • Additionally, the ransomware kills the processes of well-known security and forensic software to maintain persistence for a longer period of time. 
  • Once the machine is in safe mode, MedusaLocker uses AES-256 and RSA-2048 algorithms to encrypt files. 

How can organizations stay safe?

Federal authorities have recommended several mitigation measures to prevent such attacks. These include implementing a recovery plan to retain sensitive or proprietary data. Organizations must also make sure that copies of critical data are not accessible by strangers for modification or deletion. Implementing network segmentation and maintaining offline backups of data are also advised to stay safe.
Cyware Publisher