MedusaLocker ransomware

July 26, 2021 · frtg · 4 min read

The MedusaLocker ransomware first emerged in September 2019, infecting and encrypting Windows machines worldwide. MedusaLocker attacks have been reported across multiple sectors, particularly healthcare, which sustained a significant volume of ransomware attacks during the COVID-19 pandemic.

To maximise file encryption opportunities on the compromised machine, MedusaLocker reboots the machine into Safe Mode before execution. This method is used to evade security tools that may not run when the computer starts in this mode.

MedusaLocker avoids encrypting executable files, most likely to prevent rendering the target system unusable for ransom payment. To make it even more dangerous, it uses a combination of AES and RSA-2048, making brute-force decryption procedures virtually impossible.

Recently, reports have emerged stating that AKO, a MedusaLocker variant, has added an extortion element, threatening to publicly release stolen files.

Malware Analysis

When the file executes, it first loads information that will be used during the encryption process, such as the RSA public key. This key is used to encrypt the key of the AES algorithm used to encrypt files. In other words, MedusaLocker uses a combination of AES + RSA-2048. It uses AES encryption to encrypt files, then the AES key is encrypted using the RSA public key embedded in the sample.

Upon startup, two files are written to disk:

C:\Users\Louise\AppData\Roaming\KEY.FILE
C:\Users\Louise\Desktop\Recovery_Instructions.mht

Respectively, the encryption key and the file containing instructions for paying the ransom and recovering files.

MedusaLocker also loads two lists of processes and services that will be terminated and deleted during its execution to ensure that any files that might contain valuable information are not examined for modifications by the processes and services in these lists. These lists include processes and services such as databases, web servers, security solutions, etc. After the process has executed, the malware checks whether the mutex hardcoded in the registry with the name “{8761ABBD-7F85-42EE-B272-A76179687C63}” exists; if not, it creates it. Mutexes are typically used by malware authors to prevent infection of a system by different instances of the same malware, and can also be used to verify whether the malware is already running on a system. Continuing, the malware checks with which privileges it is running; this information can be obtained from the system using the API called GetTokenInformation, which can be used to obtain a list of enabled and disabled privileges held by an access token. If it is not running with administrative privileges, it performs UAC bypass. This is a known User Account Control bypass technique observed in other malware families such as Trickbot in its early iterations and LockBit, to name a few. MedusaLocker uses the CMSTPLUA and ICMLuaUtil methods for elevation to administrative privileges.

A series of commands are then executed to delete backups and recovery options:

vssadmin.exe Delete Shadows /All /Quiet
bcdedit.exe /set {default} recoveryenabled No & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
wbadmin DELETE SYSTEMSTATEBACKUP & wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest:
wmic.exe SHADOWCOPY /nointeractive

To encrypt as much as possible locally and remotely, MedusaLocker performs local network enumeration using ICMP packets, a method known as ping sweep or ICMP sweep, used to search for live hosts in a network range. This lateral movement behaviour, consistent with T1018 (Remote System Discovery) and T1046 (Network Service Scanning), is frequently detected by Managed Detection and Response platforms monitoring anomalous ICMP traffic patterns. Finally, it encrypts files according to its rules to avoid certain file extensions and folders.

Static Analysis

Indicators of Compromise (IOC)

Address	62.182.158[.]226
SHA256	033B4950A8F249B20EB86EC6F8F2EA0A1567BB164289D1AA7FB0BA51F9BBE46C
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MSFEEditor
reg_value	“C:\Users\user\AppData\Local\Temp\64CO.exe” e

FILENAME	64CO.EXE
MD5	A80B79DE02D6881D5E54AFCEFA38298A
SHA1	E0D3E2612A757FF5BE818B114028A0E4BB562BC5
SHA256	033B4950A8F249B20EB86EC6F8F2EA0A1567BB164289D1AA7FB0BA51F9BBE46C
FILE-SIZE	1 230 848 (bytes)
ENTROPY	5.604
IMPHASH	86B16FE05257643ECB30B235FCECAC57
CPU	64-BIT
VIRUSTOTAL	35/70

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Malware Analysis

Static Analysis

Tags

Indicators of Compromise (IOC)

Cookie & Privacy