Our recent research has highlighted the presence of the MedusaLocker ransomware, which first surfaced in mid-2019. Its primary targets are the Hospital and Healthcare industries. MedusaLocker employs AES and RSA encryption techniques to encrypt victims’ data.
At the start, it performs a check for the presence of a Mutex. If the Mutex does not exist, it proceeds to create the Mutex using the CreateMutexW() function, as shown in the below fig:
MedusaLocker checks to determine whether the current process runs with administrative privileges. If it detects that the process lacks admin privileges, it employs a User Account Control (UAC) bypass technique to attain elevated privileges.
It adds the registry key HKEY_CURRENT_USER\SOFTWARE\MDSLK\ with the name “self” and data as the application name, designating the system being infected by MDuSaLocker.
Like other ransomware, MedusaLocker also terminates specific services by referencing a hardcoded list of services. It compares this list with the currently running services, and if any of the hardcoded services are found to be running, it stops them using the CloseServiceHandle(), as shown in the below fig:
List of Hardcoded services:
wrapper, DefWatch, ccEvtMgr, ccSetMgr, SavRoam, sqlservr, sqlagent, sqladhlp, Culserver, RTVscan, sqlbrowser, SQLADHLP, QBIDPService, Intuit.QuickBooks.FCS, QBCFMonitorService, sqlwriter, msmdsrv, tomcat6, zhudongfangyu, SQLADHLP, vmware-usbarbitator64, vmware-converter, dbsrv12, dbeng8
Ransomware uses CreateToolhelp32Snapshot() to retrieve the running processes. It compares with a predefined list of hardcoded processes. If any of the hardcoded processes are detected as running, the ransomware proceeds to terminate those processes using the TerminateProcess, as shown in the below fig:
List of Hardcoded Process:
wxServer.exe, wxServerView, sqlservr.exe, sqlmangr.exe, RAgui.exe, supervise.exe, Culture.exe, RTVscan.exe, Defwatch.exe, sqlbrowser.exe, winword.exe, QBW32.exe, QBDBMgr.exe, qbupdate.exe, QBCFMonitorService.exe, axlbridge.exe, QBIDPService.exe, httpd.exe, fdlauncher.exe, MsDtSrvr.exe, tomcat6.exe, java.exe, 360se.exe, 360doctor.exe, wdswfsafe.exe, fdlauncher.exe, fdhost.exe, GDscan.exe, ZhuDongFangYu.exe
MedusaLocker uses hardcoded commands to remove backups, delete the shadow copy, etc.
Medusa Locker ransomware duplicates its malicious executable as either “svhost.exe” or “svchostt.exe” within the user’s roaming application data directory (%AppData%\Roaming) to establish persistence and ensure the malware runs during system start-up, allowing it to continue encrypting files.
In the encryption process like other ransomware, it also excludes the list of files, folders, and hardcoded extensions from the encryption process.
The ransomware uses both AES+RSA encryption keys. The ransomware employs AES 256 encryption to lock the victim’s files, creating a unique AES encryption key. This AES key is then encrypted using an embedded RSA public key, resulting in the ciphertext. The RSA encryption ensures that without the corresponding private key, decryption of the AES key is practically impossible.
The AES key is essential for unlocking the victim’s files, making access contingent on obtaining the private key from the attackers.
The ransomware tries to retrieve the logical drives using the API call GetLogicalDrives to encrypt the system.
It drops the Ransom note in an HTML file which contains the personal ID, Tor link, and emails of attackers.
After Encryption, the ransomware uses Windows Network API NetShareEnum to enumerate network share. It processes share names, performs string manipulations, and checks for the presence of “$” in share names.
It seeks to spread to other devices on the same network, attempting to infect them like a digital contagion.
· Do not download and open any attachments from unknown sources.
· Avoid clicking on any unverified link. The leading cause of ransomware attacks is clicking on untrusted links and attachments.
· Regularly update your operating system, applications, and software to fix known vulnerabilities, often exploited by ransomware.
· Back up your data so that it can be recovered in case of a ransomware attack.
Medusa Locker ransomware is a notorious strain of malicious software that encrypts victims’ files, rendering them inaccessible until a ransom is paid. This dangerous malware has caused widespread damage to individuals and organizations alike. As cybercriminals continually evolve their tactics, the threat of Medusa Locker remains ever-present.
· Generic Signature names:
Author – Soumen Burma
Co-Author – Vaibhav Krushna Billade