MedusaLocker Ransomware: Still Going Strong After Nearly 3 Years

First discovered in late October 2019, a ransomware strain known as MedusaLocker has recently gained attention due to a joint Cybersecurity Advisory (CSA) released by several U.S. federal agencies as part of the #StopRansomware initiative.

Organizations with internet facing RDP (Remote Desktop Protocol) servers are potential targets, as this is the most initial compromise vector for MedusaLocker attacks.

Samples of MedusaLocker Ransomware were tested against BluVector’s patented Machine Learning Engine (MLE). Regression testing shows that BluVector would have detected the samples an average of 23 months prior to their release.

What Is It?

The first public reports of a (then) new strain of ransomware named MedusaLocker were published in late October 2019. Researchers had first observed MedusaLocker samples a month earlier in late September. Like the vast majority of current ransomware detailed in previous Threat Reports, MedusaLocker utilizes the Ransomware-as-a-Service (RaaS) model, where the authors offer subscriptions providing access to the ransomware for a cut of any ransom payments that may be collected. In the case of MedusaLocker, the CSA states the ransomware subscriber, known as an affiliate, will receive between 55 and 60 percent of ransom payments, with the balance being retained by the authors. The authors are responsible for continuing to add functionality and detection evasions to the ransomware, as well as providing the back-end system to monitor infections and collect ransom payments. The affiliates need to compromise victim networks, then distribute and execute the ransomware. In 2020, MedusaLocker authors posted a list of skills required of their affiliates to an underground forum. This list included “practical experience with ransomware, confident user of Cobalt Strike, able to escalate local administrator and domain administrator privileges, working knowledge of backup systems and understanding of OpSec.” These are all skills relevant to successfully compromising a network and distributing the ransomware effectively.

Figure 1: MedusaLocker Ransom Note

Interestingly when analyzed, early samples of MedusaLocker are very similar to more recent samples, both in terms of functionality and at a code-based level. This indicates the authors are focusing on attempting to ensure MedusaLocker samples remain undetected by legacy detection solutions, such as anti-virus, for as long as possible. It also indicates the affiliates are largely satisfied with the functionality provided and the ransom income it provides.

When initially executed on a system, MedusaLocker updates the Windows Registry, to ensure mapped drives are accessible regardless of the privileges a task has. Next, using a hardcoded list contained within the MedusaLocker sample itself, it will attempt to shutdown processes related to both security products that may detect the sample and its activity, and applications which may prevent files containing important data from being encrypted. Following this, it performs the expected step of deleting Shadow Volume copies and backups made with Windows Backup in order to hinder recovery of encrypted files, and therefore increase pressure on the victim to pay the ransom.

The sample also contains a list of file extensions to be skipped when encrypting files. In the more recent sample analyzed for this Threat Report, this list had grown to 139 unique file extensions. The vast majority of these are actually file extensions used by other MedusaLocker variants, and other ransomware families. In the case of this sample, the file extension appended to encrypted files was “.L16”. There is also a hardcoded list of directory names that are skipped during the encryption process.

Figure 2: List of file extensions to skip during encryption

During encryption, the ransom note is dropped, as file HOW_TO_RECOVER_DATA.html in each directory files have been encrypted in. It directs victims to visit a site on the dark web with a unique address, where they can upload a single file of up to 15MB in size to be decrypted for free. This is intended to reassure victims that if they pay the ransom, their files will be able to be successfully decrypted.

Figure 3: Dark web site to obtain free decryption of one encrypted file.

MedusaLocker ransomware has proven to be quite effective, remaining largely unchanged over a nearly three-year period, while still being considered a threat worthy of a joint Cybersecurity Advisory. Malware authors will only update their malware when they need to. In the case of MedusaLocker, this has apparently been somewhat infrequent. Perhaps this is due to the minimum skill level prospective affiliates are required to meet, suggesting a more careful target selection process than is the norm.

How Does It Propagate?

The malware does attempt to self-propagate via shared folders. MedusaLocker actors are known for exploiting vulnerabilities in internet facing RDP (Remote Desktop Protocol) servers, including those with easily guessed or brute forced password as their initial compromise vector.

When/How Did BluVector Detect It?

A total of 25 recent samples of MedusaLocker ransomware were tested against BluVector’s patented Machine Learning Engine (MLE) and all were detected. Regression testing of these samples shows that BluVector would have detected them on average 23 months prior to their release.