Medusa Ransomware (MedusaLocker)

Exploitation of Remote Services (T1133): MedusaLocker frequently exploits misconfigured or vulnerable RDP services, often using brute-force attacks to guess weak passwords.

Phishing (T1566): Spam email campaigns with malicious attachments (often disguised as legitimate documents) are also used to deliver the ransomware. You can read more about types of phishing attacks here.

Command and Scripting Interpreter: PowerShell (T1059.001): MedusaLocker utilizes a batch file (qzy.bat) to execute a PowerShell script (qzy.txt). This script contains the embedded, Base64-encoded MedusaLocker payload. The PowerShell script employs the "Invoke-ReflectivePEInjection" technique (from the PowerSploit framework) to load the ransomware directly into memory, avoiding writing the executable to disk initially.

Windows Management Instrumentation (WMIC): WMIC is used to delete volume shadow copies (wmic.exe Shadowcopy Delete), hindering data recovery efforts. The copy in %AppData%\Roaming as either svhost.exe or svchostt.exe.

Scheduled Task/Job (T1053.005): A scheduled task named svhost (or svchostt) is created to run the ransomware executable (copied to %AppData%\Roaming\) every 15 minutes, ensuring persistence even after a reboot.

Registry Run Keys / Startup Folder (T1547.001): Registry entries are often modified to ensure the ransomware executes at system startup. To know more about windows registry structure, read here.

Bypass User Account Control (UAC) (T1548.002): MedusaLocker leverages a known UAC bypass technique involving CMSTP.exe (Microsoft Connection Manager Profile Installer) and a malicious INF file to gain elevated privileges without user interaction. Read here to know more about privilege escalation attack.

Impair Defenses (T1562): MedusaLocker attempts to disable security products by terminating processes and services associated with antivirus and other security software.

Impair Defenses: Safe Mode Boot (T1562.009): A key characteristic of MedusaLocker is its ability to restart the infected machine in safe mode before encryption. This bypasses many endpoint security solutions that might not be active in safe mode.

Masquerading (T1036): The copy in %AppData%\Roaming as either svhost.exe or svchostt.exe.

Brute Force (T1110): Brute-forcing passwords to gain initial access through RDP. To know more about what is brute force, read here.

File and Directory Discovery (T1083): MedusaLocker scans for files to encrypt, but it excludes specific system folders (like %User Profile%\AppData, \ProgramData, \Program Files, \Windows) to avoid rendering the system completely unusable and preventing ransom payment.

Network Share Discovery (T1135): The ransomware scans for network shares to propagate to other systems.

Query Registry (T1012): The ransomware attempts to query the registry.

Remote Services (T1021): MedusaLocker spreads laterally through the network using RDP, PsExec, and SMB by modifying the EnableLinkedConnections registry key and conducting ping sweeps to identify active hosts.

Ingress Tool Transfer (T1105): The ransomware may use certutil.exe to download additional tools or updates from a command-and-control (C2) server.

Data Encrypted for Impact (T1486): MedusaLocker uses a combination of AES-256 (for symmetric file encryption) and RSA-2048 (for encrypting the AES key). This hybrid approach is designed to be efficient and secure, making brute-force decryption impractical. Encrypted files are appended with a specific extension (this extension can vary).

Inhibit System Recovery (T1490): A critical aspect of MedusaLocker's impact is its attempt to prevent system recovery. It executes commands to delete shadow copies, disable automatic startup repair, and disable Windows Error Recovery. Examples of these commands include:

Service Stop (T1489): To facilitate file encryption, the ransomware kills processes of security, accounting, and forensic software.

Strong Passwords and Multi-Factor Authentication (MFA): Enforce strong, unique passwords for all RDP accounts and require MFA for all remote access. This is a critical defense against brute-force attacks.

Limit RDP Access: Restrict RDP access to only authorized users and IP addresses. Use a VPN or firewall rules to limit exposure.

Disable RDP if Not Needed: If RDP is not essential, disable it completely.

Security Awareness Training: Regularly train employees to recognize and report phishing emails. This should include training on identifying malicious attachments and suspicious links.

Email Security Gateways: Implement email security gateways that can scan for and block malicious attachments and links.

Disable hyperlinks: Disable hyperlinks in emails.

Regularly Patch Systems: Promptly apply security updates for operating systems, software (especially RDP services), and firmware. This closes known vulnerabilities that MedusaLocker might exploit. Read more on patch management strategy here.

Regular Backups: Implement a robust backup strategy that includes regular, automated backups of critical data.

Offline Backups: Store backups offline, either on physically separate media or in a cloud-based service that is isolated from the main network. This prevents the ransomware from encrypting backups.

Test Backups: Regularly test the backup and recovery process to ensure it works as expected.

Deploy EDR Solutions: Use an EDR solution that can detect and respond to malicious activity on endpoints, including PowerShell script execution, process injection, and attempts to disable security software. EDR solutions can often detect and block MedusaLocker's behavior even if the specific malware signature is unknown.

Isolate Critical Systems: Segment the network to limit the lateral movement of ransomware. This can prevent a single infection from spreading to the entire organization.

Restrict User Permissions: Grant users only the minimum necessary permissions to perform their job duties. This limits the potential damage from a compromised account.

Network Traffic Monitoring: Monitor network traffic for connections to known malicious IP addresses and domains.

File System Monitoring: Monitor for the creation of files with the MedusaLocker file extension and the ransom note.