From a joint threat advisory published by the FBI, CISA, the Department of Treasury, and the Financial Crime Enforcement Network (FinCEN), the federal law agencies have detailed the recent malicious activities observed on the MedusaLocker ransomware.
MedusaLocker is a ransomware variant that was first detected in 2019. Since then, several cybersecurity researchers have monitored its operators’ activities in the wild, which found the ransomware expanding its attack surface to earn more profit from victims.
From the latest observations on MedusaLocker, researchers stated that its operators have heavily relied on exploiting critical flaws found in Remote Desktop Protocol (RDP) that allow them to access the networks of their targets.
Once the ransomware has been deployed on a network, it will begin encrypting the data and files inside the compromised machine and will leave a ransom note for the victims, which would explain how they could communicate with the operators and obtain a decryptor for the files.
If a victim opts to pay the ransom demand, they are then instructed to go to a Bitcoin wallet address where they must pay the perpetrators in exchange for a decryptor.
The researchers also added that the MedusaLocker operators often associate an affiliate on their campaigns, where about 55-60% of the ransom earnings would be allotted to them while the rest of the payments are sent to the ransomware operators.
In most cases, MedusaLocker’s operators begin with phishing emails sent to their targets, which attached a file that could exploit a vulnerable RDP. Suppose a victim fell into the adversaries’ trap; the threat actors would have initial access to their computers and deploy a PowerShell script that could spread the ransomware across the victim’s network.
To obfuscate their malicious activities inside a compromised machine, MedusaLocker would kill all active and existing security and AV tools, allowing them to maintain persistence and complete their objectives. Upon securing itself inside the computer, the ransomware would use AES-256 and RSA-2048 algorithms to begin encrypting the victim’s files.
The federal law agencies included some recommendations in their report for users to avoid being victimised by this campaign. Organisations are advised to implement a working recovery plan to protect their data against being stolen or encrypted. Additionally, companies must apply stricter rules on allowing people to access sensitive corporate files. Lastly, it is recommended to ensure updated backup copies of the company’s file away from a network that an attacker could easily infiltrate.