MedusaLocker Ransomware Servers Spotted in the Wild

What does the research say?

• Attack surface risk management firm Censys revealed details of various Russian servers that contained a malware kit pointing to the MedusaLocker group that is known for targeting organizations in the healthcare industry.
• Censys found that the data found on the servers overlapped with the indicators of the MedusaLocker campaign. These data include certificates, software, fingerprints, and other attack vectors used to breach computers.
• While a majority of victims of ransomware are from different U.S. states, such as Virginia, Ohio, New Jersey, and California, other affected countries include Taiwan, China, and the Netherlands.

Earlier CISA had warned about the ransomware

• Earlier this month, the U.S. federal government issued a warning about widespread campaigns of MedusaLocker ransomware that exploited unsecured remote desktop protocol. These attacks were reported as recently as May.
• The attackers leveraged phishing emails as initial intrusion vectors to deliver the ransomware onto the victims’ machines.
• Once executed, the ransomware restarts the machine in safe mode to avoid detection by security software. Later, it encrypts victims’ files with AES-256 and RSA-2048 algorithms before appending an extension to them.
• The note outlined that the size of the ransom demands was fixed by the group depending on the financial status of the victim organization.

Key point

Mitigation measure suggested