This Ransomware Exploits RDP Weaknesses to Get Access to Networks

The new joint Cyber Security Advisory (CSA) of the FBI, Cyber Security Infrastructure Security Agency (CISA) and other law enforcement agencies warned that the MedusaLocker ransomware was primarily seen in May 2022 exploiting Remote Desktop Protocol (RDP) configurations to access victims’ network.

The tip is part of CISA’s #StopRansomware collection of ransomware materials. “Based on the observed ransom payments, MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model,” the CSA concluded.

RaaS models entail the collaboration of a ransomware creator and several affiliates, such as access brokers who get initial access and other actors that install the ransomware on victim computers.

According to the CSA, “MedusaLocker ransomware payments appear to be routinely shared between the affiliate, who receives 55 to 60 percent of the ransom, and the developer, who receives the remaining.”

Technical Cyber Security Detail Synopsis:

This ransomware uses a batch file to execute a PowerShell script that spreads MedusaLocker across the network by editing the EnableLinkedConnections value in the infected computer’s registry. This would allow the infected computer to discover hosts and networks connected via the Internet Control Message Protocol (ICMP) and shared storage via the Server Message Block (SMB) protocol.

After the MedusaLocker actors have acquired initial access, the ransomware is spread over the network by altering the machine’s registry to find associated hosts and networks and utilizing the SMB file-sharing protocol to detect linked storage.

According to the CSA, MedusaLocker perpetrators place a ransom letter in every folder containing a file holding the victim’s encrypted data.

Ransomware Attack Method

Following its proliferation throughout a network, MedusaLocker performs the following essential actions:

• The LanmanWorkstation service is restarted, allowing registry changes to take effect.
• Kills well-known security, accounting, and forensic software processes.
• To escape detection by cyber security software, the system is restarted in safe mode.
• Encrypts target files using the AES-256 encryption technique and then encrypts the generated key using an RSA-2048 public key.
• Runs every 60 seconds, encrypting all files save those crucial to the victim’s machine’s functioning and those with the selected encrypted file extension.
• Persistence is established by setting a task to launch the ransomware every 15 minutes.
• Attempts to thwart traditional recovery methods by erasing local backups, blocking startup recovery choices, and erasing shadow copies.

Counter-Security Measures

These attacks can be avoided. The agencies’ proposed mitigations include:

• Implement a disaster recovery strategy that keeps several copies of sensitive or proprietary data and servers in a physically distinct, segregated, and secure place.
• Implement network segmentation and keep offline backups of data. Backup data on a regular basis and password encrypt backup copies are kept offline.
• Ensure that copies of vital data are not modified or deleted from the system.