Several US law enforcement agencies have shone a spotlight on MedusaLocker, one ransomware gang that got busy in the pandemic by hitting healthcare organizations.
MedusaLocker emerged in 2019 and has been a problem ever since, ramping up activity during the early stages of the pandemic to maximize profits.
Cloud computing is now a business essential, but keeping your data and applications secure is vital. Find out more about cloud security in this ZDNet special report.
Read nowWhile Medusa is today not as prolific as Conti and Lockbit RaaS networks, MedusaLocker caused its fair share of trouble, being one of several threats that led to Microsoft's warning to healthcare operators to patch VPN endpoints and configure Remote Desktop Protocol (RDP) securely.
SEE:Ransomware attacks: This is the data that cyber criminals really want to steal
In the first quarter of 2020, MedusaLocker was one of the top ransomware payloads along with RobbinHood, Maze, PonyFinal, Valet loader, REvil, RagnarLocker, and LockBit, according to Microsoft.
As of May 2022, Medusa has been observed predominantly exploiting vulnerable RDP configurations to access victims' networks, according to a new joint Cybersecurity Advisory (CSA) from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN).
The advisory is part of CISA's#StopRansomware collection of resources about ransomware.
"MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments," the CSA notes.
RaaS models involve the combined efforts of ransomware developer and various affiliates, such as access brokers that gain initial access and other actors that deploy the ransomware on victim systems.
"MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder," the CSA notes.
At a technical level, after MedusaLocker actors have gained initial access, MedusaLocker deploys a PowerShell script to propagate the ransomware throughout the network by editing the machine's registry to detect attached hosts and networks, and using the SMB file-sharing protocol to detect attached storage.
MedusaLocker attackers place a ransom note into every folder containing a file with the victim's encrypted data, according to the CSA.
MedusaLocker's key actions after spreading across a network include:
These attacks can be protected against. Mitigations recommended by the agencies include: