CISA Warns About MedusaLocker Ransomware’s Latest Activity

What does the advisory say?

• As of May 2022, the operators of the ransomware are heavily relying on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. Upon execution, the ransomware encrypts the victims’ data and leaves behind a ransom note with instructions to decrypt files.  
• The note directs victims to a specific Bitcoin wallet address to make the ransomware payment.
• The advisory notes the affiliate can expect anywhere between 55-60 percent of the ransom payment generated through their actions, and the remaining proceeds go to the operators.

Modus Operandi

• The initial infection chain process begins with phishing emails that include exploits for vulnerable RDP.
• Once the actors have gained initial access, a PowerShell script is deployed to propagate the ransomware throughout the network. 
• Additionally, the ransomware kills the processes of well-known security and forensic software to maintain persistence for a longer period of time. 
• Once the machine is in safe mode, MedusaLocker uses AES-256 and RSA-2048 algorithms to encrypt files. 

How can organizations stay safe?