What We Know About The New Medusalocker Ransomware

• A new ransomware dubbed MedusaLocker has been observed to be infecting victims from all over the world.
• Details such as mode of distribution, ransom value, and if a decryptor is actually provided after payment are not yet known.

What is happening?

Researchers have uncovered a new ransomware, MedusaLocker, that is being distributed. Currently, the method of distribution for this ransomware is not known.

This malware is still under analysis, and researchers haven’t yet published a way to decrypt files infected with MedusaLocker.

What happens after infection?

In order to prepare the infected system for encryption, this ransomware performs several activities.

• It first creates a Registry value ‘EnableLinkedConnections’ under a certain path and sets it to ‘1’ to access mapped drives in UAC launched processes.
• Then, it has been observed to restart the LanmanWorkstation service to ensure that Windows networking is running. This also verifies that mapped network drives are accessible by the ransomware.
• Processes including DefWatch, wrapper, and tomcat6, among others, are terminated to shut down security programs. This enables all data files to be accessible for encrypting.
• As the final step, it clears Shadow Volume Copies of files, like most ransomware. This is to make sure that the files cannot be restored.
• Now, it scans files and ignores those with certain extensions such as .exe or .rdp. It also ignores files present in certain folders.
• All other files will be encrypted using AES encryption.

One of these extensions—.breakingbad, .locker16, .newlock, .bomber, .nlocker, .skynet, .boroff, .encrypted—will be appended to the encrypted files. The choice of the extension depends on the ransomware variant.

Other details

A ransom note named ‘HOW_TO_RECOVER_DATA.html’ is created. This contains two email addresses to contact for instructions about payment. The ransom note is created in each folder that has an encrypted file.