MedusaLocker, or Medusa Locker, is not a new ransomware threat, but security researchers and organizations continuously monitor their behavior to develop mitigation strategies. Organizations must implement strong security measures, conduct regular backups, and educate users about phishing awareness to protect against MedusaLocker.Â
In this comprehensive article, we will explore the MedusaLocker ransomware variant in detail, and provide information on the indicators of compromise (IOC) associated with the group’s activity. It’s essential to understand which industries the ransomware targets and have some insight into how it operates to improve your cybersecurity and ransomware defense.Â
MedusaLocker ransomware overview
First emerged in September 2019, MedusaLocker ransomware is a strain of malware that primarily targets the healthcare sector but has also been observed infecting systems across various industries.Â
Operating as a Ransomware-as-a-Service (RaaS) model, MedusaLocker ransomware encrypts files, employing advanced encryption techniques, such as AES and RSA, on infected systems, making them inaccessible to users. Then threat actors demand payment for decryption keys.Â
MedusaLocker is known for several variants, appending different extensions to encrypted files. It drops ransom notes containing instructions on how to pay the ransom and recover data.
MedusaLocker ransomware's main targets and recent activities
MedusaLocker has reportedly made a comeback at the beginning of 2023. Its reported primary targets are crucial sectors such as Hospitals, Healthcare organizations, Education, and Government organizations, aiming to exploit vulnerabilities in their systems and networks. Its reach extends beyond these sectors, with victims scattered across continents, indicating a global impact.
Pro tip: Proven Data cybersecurity experts recommend that healthcare organizations, as the main target of MedusaLocker, implement multiple levels of access and authentication controls for RDP instances, and patch vulnerabilities. Other prevention methods are also advised, including enforcing strong passwords and two-factor authentication, utilizing VPNs, and restricting access to trusted IP addresses.
How to identify MedusaLocker ransomware: Main IOCs
Indicators of compromise (IOCs) are pieces of forensic data that can help identify malicious activity or malware associated with a cyber attack. It includes the encryption extension, file hashes, and IP addresses, among other details cyber criminals leave as they infect a machine or system.Â
But, if you can’t identify the ransomware strain through its IOCs, you can use Proven Data’s free ransomware ID tool to check if the MedusaLocker ransomware is the malware that encrypts your files.
Important: Some of these indicators require technical knowledge of the infected system, so you may need to contact your IT team or a digital forensics service provider.
MedusaLocker ransomware-specific IOCs include:
Known ransom note file names:
- how_to_ recover_data.html
- how_to_recover_data.html.marlock01
- instructions.html
- READINSTRUCTION.html
- !!!HOW_TO_DECRYPT!!!
Known encrypted file extensions:
- .1btc
- .matlock20
- .readinstructions
- .bec
- .mylock
- .deadfilesgr
- .lockfiles
- .tyco
- .fileslock
- .zoomzoom
- .marlock08
- .marlock25
Creation of registry entry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MSFEEditor = “{Malware File Path}\{Malware File Name.exe}”
How MedusaLocker ransomware works
To gain initial network access, threat actors behind MedusaLocker typically exploit vulnerabilities in Remote Desktop Protocol (RDP) services or conduct phishing campaigns.Â
Once inside a network, the ransomware follows a typical attack lifecycle, disabling the security software, deleting backup copies, and spreading laterally to infect other devices. It employs a range of tactics and techniques to evade detection, escalate privileges, and inhibit system recovery.
Medusa Locker employs a multi-stage attack strategy:
Initial Access
MedusaLocker gains initial access to target systems through various means:
- Brute Force Password Guessing: Threat actors attempt to gain access to Remote Desktop Protocol (RDP) services by guessing passwords.
- Phishing: The ransomware may be delivered through phishing emails, where users are tricked into downloading and executing malicious attachments.
- Exploitation of External Remote Services: Vulnerable RDP services in the victim’s network are exploited to gain initial access.
Execution
Once access is gained, MedusaLocker executes its payload, a malicious part of software or code that is designed to execute a specific set of actions on a target system.
A batch file executes a PowerShell script responsible for further execution of the ransomware.
MedusaLocker uses the Windows Management Instrumentation (WMI) command-line utility to delete volume shadow copies, hindering data recovery efforts.
Defense Evasion
To evade detection and hinder security measures, the ransomware disables antivirus and other security products to avoid detection. It also abuses the limited defenses in safe mode to evade endpoint security measures.
Encryption and Ransom Demand
Once executed, according to CISA, MedusaLocker encrypts the victim’s files using the AES 256 encryption algorithm, rendering them inaccessible without the decryption key.
The ransomware then demands payment from the victim in exchange for the decryption key needed to unlock the encrypted files.
It typically leaves ransom notes containing instructions on how to pay the ransom and regain access to the encrypted data.
MedusaLocker ransom note
Medusa Locker ransom note is placed into every folder and outlines how to communicate with the attackers and pay the ransom in Bitcoin.Â
The note also states that the group stole the victim’s data and will leak it unless their demands are met. However, until the moment of this publication, no data was leaked.
Important: Do not pay the ransom. Paying the ransom does not guarantee that you will get your data back, and it may encourage the attackers to continue their criminal activities. Check our in-depth article on what happens if you pay the ransom.
How to handle a MedusaLocker ransomware attack
It is important to note that handling a MedusaLocker ransomware attack can be complex and requires expertise. Therefore, it is recommended to seek professional help from a reputable data recovery service, such as Proven Data to help you recover your data and remove the ransomware from your system.
You should also report the attack to law enforcement agencies, such as the FBI, and cybersecurity organizations to help prevent future attacks and catch the perpetrators.
We strongly recommend contacting cybersecurity services to handle ransomware attacks. Proven Data technicians not only retrieve ransomware-encrypted data but also create forensic reports and streamline incident response, minimizing your business downtime and financial loss.
How to prevent MedusaLocker ransomware attacks
Preventing MedusaLocker ransomware attacks is always the best cyber security tactic. If you want to reduce the risk of falling victim, follow these tips to avoid a ransomware attack:
Keep your software up to date
Regularly update your operating system and programs to uphold security standards. Reputable OS providers will consistently check their software for vulnerabilities and patch up their security standards to protect against newly detected threats.
Use reputable antivirus software
Employ reputable antivirus software to bolster protection against malware significantly, and regularly check that it is updated. You can also check your network for vulnerabilities and learn where you need to improve your security system.
Be cautious of suspicious emails
Even though there are no known cases of MedusaLocker using phishing as an attack method, it’s important to exercise caution when dealing with emails from unfamiliar or dubious origins. Refrain from opening files or clicking on links within emails that you are not expecting or seem suspicious.
Do not download cracked software
Cracked software is the term used to describe illicitly modified or pirated versions of commercial software, typically distributed without proper authorization or licensing. Cybercriminals frequently conceal their ransomware executables within cracked software distribution websites, leading users to unwittingly download and execute the malware.
Backup your data
Backups are the best strategy to ensure fast data recovery and reduce downtime. Remember to regularly back up your data to prevent complete data loss in case of a ransomware attack. Also, make sure that at least one copy of your data is stored offline, so attackers don’t target your backups, and offsite, to prevent loss in case of natural disaster.
A highly recommended strategy for data loss prevention is the 3-2-1 backup strategy. This strategy involves creating three total copies of your data: two on different media and one offsite, ensuring redundancy and protection against data loss. And at least one copy offsite to prevent loss due to natural disasters or other local incidents.
Educate yourself and your teams
Educate yourself and your employees about the risks of ransomware and how to avoid it, such as avoiding suspicious emails or downloads.
Consult cybersecurity professionals
Proven Data offers cyber security services to help you keep your data protected against threat actors. From vulnerability assessment to ensure your systems and servers do not have open doors for cyber attacks, to Incident Response (IR) services for immediate response in case of a successful attack.
We also have the option of managed detection and response (MDR) services that help organizations improve their security posture, minimize risk, and protect sensitive data and assets.