In the first quarter of 2020, MedusaLocker was one of the top ransomware payloads along with RobbinHood, Maze, PonyFinal, Valet loader, REvil, RagnarLocker, and LockBit, according to Microsoft.
As of May 2022, Medusa has been observed predominantly exploiting vulnerable RDP configurations to access victims' networks, according to a new joint Cybersecurity Advisory (CSA) from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN).
"MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder," the CSA notes.
At a technical level, after MedusaLocker actors have gained initial access, MedusaLocker deploys a PowerShell script to propagate the ransomware throughout the network by editing the machine's registry to detect attached hosts and networks, and using the SMB file-sharing protocol to detect attached storage.
MedusaLocker attackers place a ransom note into every folder containing a file with the victim's encrypted data, according to the CSA.
MedusaLocker's key actions after spreading across a network include:
Restarts the LanmanWorkstation service, which allows registry edits to take effect
Kills the processes of well-known security, accounting, and forensic software
Restarts the machine in safe mode to avoid detection by security software
Encrypts victim files with the AES-256 encryption algorithm; the resulting key is then encrypted with an RSA-2048 public key
Runs every 60 seconds, encrypting all files except those critical to the functionality of the victim's machine and those that have the designated encrypted file extension
Establishes persistence by scheduling a task to run the ransomware every 15 minutes.
Attempts to prevent standard recovery techniques by deleting local backups, disabling startup recovery options, and deleting shadow copies
These attacks can be protected against. Mitigations recommended by the agencies include:
Implement a recovery plan that maintains and retains multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location
Implement network segmentation and maintain offline backups of data
Regularly backup data and password protect backup copies stored offline. Ensure copies of critical data are not accessible for modification or deletion from the system