FBI and CISA warn: This ransomware is using RDP flaws to break into networks

US exposes MedusaLocker, one of the ransomware gangs that ramped up activity as the pandemic gripped the world.
Written by Liam Tung, Contributing Writer
Image: Shutterstock / Marjan Apostolovic

Several US law enforcement agencies have shone a spotlight on MedusaLocker, one ransomware gang that got busy in the pandemic by hitting healthcare organizations. 

MedusaLocker emerged in 2019 and has been a problem ever since, ramping up activity during the early stages of the pandemic to maximize profits. 

While Medusa is today not as prolific as Conti and Lockbit RaaS networks, MedusaLocker caused its fair share of trouble, being one of several threats that led to Microsoft's warning to healthcare operators to patch VPN endpoints and configure Remote Desktop Protocol (RDP) securely

SEE: Ransomware attacks: This is the data that cyber criminals really want to steal

In the first quarter of 2020, MedusaLocker was one of the top ransomware payloads along with RobbinHood, Maze, PonyFinal, Valet loader, REvil, RagnarLocker, and LockBit, according to Microsoft.  

As of May 2022, Medusa has been observed predominantly exploiting vulnerable RDP configurations to access victims' networks, according to a new joint Cybersecurity Advisory (CSA) from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN). 

The advisory is part of CISA's #StopRansomware collection of resources about ransomware

"MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments," the CSA notes. 

RaaS models involve the combined efforts of ransomware developer and various affiliates, such as access brokers that gain initial access and other actors that deploy the ransomware on victim systems. 

"MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder," the CSA notes. 

At a technical level, after MedusaLocker actors have gained initial access, MedusaLocker deploys a PowerShell script to propagate the ransomware throughout the network by editing the machine's registry to detect attached hosts and networks, and using the SMB file-sharing protocol to detect attached storage. 

MedusaLocker attackers place a ransom note into every folder containing a file with the victim's encrypted data, according to the CSA.  

MedusaLocker's key actions after spreading across a network include: 

  • Restarts the LanmanWorkstation service, which allows registry edits to take effect
  • Kills the processes of well-known security, accounting, and forensic software
  • Restarts the machine in safe mode to avoid detection by security software
  • Encrypts victim files with the AES-256 encryption algorithm; the resulting key is then encrypted with an RSA-2048 public key 
  • Runs every 60 seconds, encrypting all files except those critical to the functionality of the victim's machine and those that have the designated encrypted file extension
  • Establishes persistence by scheduling a task to run the ransomware every 15 minutes. 
  • Attempts to prevent standard recovery techniques by deleting local backups, disabling startup recovery options, and deleting shadow copies

These attacks can be protected against. Mitigations recommended by the agencies include:

  • Implement a recovery plan that maintains and retains multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location 
  • Implement network segmentation and maintain offline backups of data 
  • Regularly backup data and password protect backup copies stored offline. Ensure copies of critical data are not accessible for modification or deletion from the system 
Editorial standards