Advisory Concerning the MedusaLocker Ransomware Issued by FinCEN, FBI, and CISA

The Federal Bureau of Investigation (FBI), Department of the Treasury, the Financial Crimes Enforcement Network (FinCEN), and Cybersecurity and Infrastructure Security Agency (CISA) have published a joint cybersecurity alert concerning the MedusaLocker ransomware.

The MedusaLocker threat group is found to run as a ransomware-as-a-service operation and utilizes affiliates to perform the attacks for around 55 – 60% of the ransom payments they bring in. MedusaLocker was earliest discovered in September 2019 and employed for attacking a vast array of targets in America.

Upon gaining access to victims’ networks, a batch file is utilized to implement a PowerShell script that distributes MedusaLocker all over the system. This is realized by modifying the EnableLinkedConnections value in the corrupted machine’s registry, which then permits the infected machine to identify linked hosts and networks through Internet Control Message Protocol (ICMP) and find shared storage using Server Message Block (SMB) Protocol.

MedusaLocker is going to stop the security, accounting, and forensic software program, reboot the machine using safe mode to keep the security application from sensing the ransomware, and then encrypt the data files. All files are encrypted besides those that are vital to the operation of the victims’ products. Typically, the ransomware also erases local backups and shadow copies and deactivates start-up recovery solutions.

Various vectors are utilized to get first access to systems, such as phishing and spam email strategies, with a few campaigns getting the ransomware payload directly connected to emails; nonetheless, definitely, the most typical way of attack is taking advantage of vulnerable Remote Desktop Protocol (RDP) controls.

Indicators of Compromise (IoCs) propagated as well as IP addresses, email addresses, Bitcoin wallet addresses, and TOR addresses are well-known to be employed by the group. Numerous mitigations were advised, the most crucial of which are to firstly remediate identified vulnerabilities, permit and utilize multifactor authentication, and offer training to personnel to guide them to identify and steer clear of attempts of phishing.