Uncovering the Abilities of MedusaLocker Ransomware

  • The ransomware was first observed in the wild towards the end of September 2019.
  • Several incidents point strongly that the malicious payload is delivered via spam emails.

MedusaLocker is one such ransomware that has been observed increasing its malicious abilities since its inception. The ransomware was first observed in the wild towards the end of September 2019 and since then it has grappled a good number of organizations worldwide.

More details about the malware
It is still unclear as to how the malware spreads. However, several incidents strongly indicate that the malicious payload is delivered via spam emails. Once executed, the ransomware takes all steps to ensure that it is able to infect not only the targeted machine but also remote and adjacent hosts.

Avoiding detection by security solutions
Furthermore, the ransomware restarts the LanmanWorkstation service, which is responsible for creating and maintaining network connections via the SMB protocol. This forces the service to all the configuration settings imposed by MedusaLocker. Once this is complete, MedusaLocker can go undetected by security solutions. It does this by terminating processes linked to products like G Data, Qihoo 360, and Symantec.

The ransomware also terminates applications used by security researchers to analyze and reverse-engineer the activities of a malware such as MS SQL, Apache Tomcat, and VMware.

Encryption process
MedusaLocker uses a combination of AES-256 and RSA-2048 algorithms to encrypt files on a victim’s machine. It targets whitelisted hard-coded file extensions and ignores files that end with .encrypted extension when encrypting files. After file encryption, the ransomware creates a ransom note named HOW_TO_RECOVER_DATA.html or Readme.html that contains two email addresses to be contacted for payment instructions.

Variants
Since its discovery, MedusaLocker has added the following extensions to encrypted files: .newlock, .skynet, .nlocker, .bomber, .breakingbad, .locker16. To gain persistence on infected machines, the malware creates a scheduled task every 10 to 30 minutes.

Future aspects
MedusaLocker exhibits a wide range of capabilities that can disrupt critical operations of organizations. Therefore, organizations should adopt adequate measures to protect systems and networks from such ransomware attacks.