Cybersecurity

HC3 Analyst Note Warns About Lesser Known ‘MedusaLocker’ Ransomware

Feb. 28, 2023

The Health Sector Cybersecurity Coordination Center published an analyst note on Feb. 24 on MedusaLocker Ransomware—the note urges healthcare organizations to keep an eye out for lesser-known threats

Janette Wider

On Feb. 24, the Health Sector Cybersecurity Coordination Center (HC3) published an analyst note on MedusaLocker ransomware. Although there are well-known variants posing threats to the healthcare sector, like Royal and Clop, lesser known threats should not be overlooked.

The note says that “The MedusaLocker ransomware was first detected back in September of 2019. Since then, MedusaLocker has infected and encrypted systems across multiple sectors, with primary targeting of the healthcare sector. During 2019, Medusa Locker leveraged the disorder and confusion surrounding the COVID-19 pandemic to launch attacks. MedusaLocker appears to operate as Ransomware-as-a-Service (RaaS) model, in which the developer of the MedusaLocker shares the ransomware with other threat actors in return for a share of the ransom payment. Based on the observed split noted in a June 2022 Advisory on the MedusaLocker by United States federal law enforcement agencies, including the Federal Bureau of Investigation (FBI), MedusaLocker ransomware payments appear to be consistently split between the affiliates who receive a share of the ransom. The affiliates receive approximately 55-60 percent per the time of the Advisory, and the developer receives the remainder.”

Initially, the threat actors used phishing and spam email campaigns to compromise targets. In 2022, Remote Desktop Protocol (RDP) vulnerabilities became the group’s preferred Tactics, Techniques, and Procedures (TTP) to gain access to target networks.

Yet, MedusaLocker threat actors still can gain access into networks via phishing campaigns in which the malware is attached to emails for penetration tools on Russian servers. Additionally, investigation found that these ransomware criminals are leveraging U.S. infrastructure to prepare for future attacks due to the difficulties of launching attacks from Russian infrastructure because most security tools preemptively block incoming traffic from Russia. Cybercriminals are known to compromise hosts in the U.S., or other “less conspicuous” countries.

“After initial access the MedusaLocker will propagate throughout a network from a batch file that executes a PowerShell script. MedusaLocker will next disable security and forensic software, restart the machine in safe mode to prevent detection or ransomware, and then encrypt files with AES-256 encryption algorithm,” the note adds. “MedusaLocker will further establish persistence by deleting local backups, disabling start-up recovery to ultimately place a ransom note into every folder containing a file with compromised host’s encrypted data.”

The note recommends requiring all RDP instances to have multiple levels of access and authentication controls including monitoring RDP utilization, implementing account lockout policies, prioritizing patching RDP vulnerabilities, and requiring strong passwords and two-factor authentication.

Additional mitigations include implementing a recovery plan and retaining copies of sensitive data in physically separate, segmented, and secure locations, adding and email banner to emails received from outside the organization, and disabling hyperlinks in received emails.