MedusaLocker Ransomware Technical Details

Fortify Security Team
Sep 28, 2024

Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The MedusaLocker actors encrypt theMedusaLocker victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin wallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom, and the developer, who receives the remainder.

MEDUSALOCKER TECHNICAL DETAILS

MedusaLocker ransomware actors most often gain access to victim devices through vulnerable Remote Desktop Protocol (RDP) configurations [T1133]. Actors also frequently use email phishing and spam email campaigns—directly attaching the ransomware to the email—as initial intrusion vectors [T1566].

MedusaLocker ransomware uses a batch file to execute PowerShell script invoke-ReflectivePEInjection [T1059.001]. This script propagates MedusaLocker throughout the network by editing the EnableLinkedConnections value within the infected machine’s registry, which then allows the infected machine to detect attached hosts and networks via Internet Control Message Protocol (ICMP) and to detect shared storage via Server Message Block (SMB) Protocol.

MedusaLocker then:

  • Restarts the LanmanWorkstation service, which allows registry edits to take effect.
  • Kills the processes of well-known security, accounting, and forensic software.
  • Restarts the machine in safe mode to avoid detection by security software [T1562.009].
  • Encrypts victim files with the AES-256 encryption algorithm; the resulting key is then encrypted with an RSA-2048 public key [T1486].
  • Runs every 60 seconds, encrypting all files except those critical to the functionality of the victim’s machine and those that have the designated encrypted file extension.
  • Establishes persistence by copying an executable (svhost.exe or svhostt.exe) to the %APPDATA%\Roaming directory and scheduling a task to run the ransomware every 15 minutes.
  • Attempts to prevent standard recovery techniques by deleting local backups, disabling startup recovery options, and deleting shadow copies [T1490].

MedusaLocker actors place a ransom note into every folder containing a file with the victim’s encrypted data. The note outlines how to communicate with the MedusaLocker actors, typically providing victims one or more email address at which the actors can be reached. The size of MedusaLocker ransom demands appears to vary depending on the victim’s financial status as perceived by the actors.

Indicators of Compromise

Encrypted File Extensions

.1btc
.matlock20
.marlock02
.readinstructions
.bec
.mylock
.jpz.nz
.marlock11
.cn
.NET1
.key1
.fileslocked
.datalock
.NZ .lock
.lockfilesUS
.deadfilesgr
.tyco
.lockdata7
.rs
.faratak
.uslockhh
.lockfiles
.tyco
.fileslock
.zoomzoom
.perfection
.uslockhh
.marlock13
n.exe
.Readinstruction
.marlock08
.marlock25
.nt_lock20
.READINSTRUCTION
.marlock6
.marlock01
.ReadInstructions

Ransom Note File Names

how_to_ recover_data.html
how_to_recover_data.html.marlock01
instructions.html
READINSTRUCTION.html
!!!HOW_TO_DECRYPT!!!
How_to_recovery.txt
readinstructions.html
readme_to_recover_files
recovery_instructions.html
HOW_TO_RECOVER_DATA.html

Payment Wallets

14oxnsSc1LZ5M2cPZeQ9rFnXqEvPCnZikc
1DRxUFhvJjGUdojCzMWSLmwx7Qxn79XbJq
18wRbb94CjyTGkUp32ZM7krCYCB9MXUq42
1AbRxRfP6yHePpi7jmDZkS4Mfpm1ZiatH5
1Edcufenw1BB4ni9UadJpQh9LVx9JGtKpP
1DyMbw6R9PbJqfUSDcK5729xQ57yJrE8BC
184ZcAoxkvimvVZaj8jZFujC7EwR3BKWvf
14oH2h12LvQ7BYBufcrY5vfKoCq2hTPoev
bc1qy34v0zv6wu0cugea5xjlxagsfwgunwkzc0xcjj
bc1q9jg45a039tn83jk2vhdpranty2y8tnpnrk9k5q
bc1qz3lmcw4k58n79wpzm550r5pkzxc2h8rwmmu6xm
1AereQUh8yjNPs9Wzeg1Le47dsqC8NNaNM
1DeNHM2eTqHp5AszTsUiS4WDHWkGc5UxHf
1HEDP3c3zPwiqUaYuWZ8gBFdAQQSa6sMGw
1HdgQM9bjX7u7vWJnfErY4MWGBQJi5mVWV
1nycdn9ebxht4tpspu4ehpjz9ghxlzipll
12xd6KrWVtgHEJHKPEfXwMVWuFK4k1FCUF
1HZHhdJ6VdwBLCFhdu7kDVZN9pb3BWeUED
1PormUgPR72yv2FRKSVY27U4ekWMKobWjg
14cATAzXwD7CQf35n8Ea5pKJPfhM6jEHak
1PopeZ4LNLanisswLndAJB1QntTF8hpLsD

Email Addresses

willyhill1960@tutanota[.]com
unlockfile@cock[.]li
zlo@keem[.]ne
unlockmeplease@airmail[.]cc
zlo@keemail[.]me
unlockmeplease@protonmail[.]com
zlo@tfwno[.]gf
willyhill1960@protonmail[.]com
support@ypsotecs[.]com
support@imfoodst[.]com
traceytevin@protonmail[.]com
support@itwgset[.]com
unlock_file@aol[.]com
support@novibmaker[.]com
unlock_file@outlook[.]com
support@securycasts[.]com
support@exoprints[.]com
rewmiller-1974@protonmail[.]com
support@exorints[.]com
rpd@keemail[.]me
support@fanbridges[.]com
soterissylla@wyseil[.]com
support@faneridges[.]com
support@careersill[.]com
perfection@bestkoronavirus[.]com
karloskolorado@tutanota[.]com
pool1256@tutanota[.]com
kevynchaz@protonmail[.]com
rapid@aaathats3as[.]com
korona@bestkoronavirus[.]com
rescuer@tutanota[.]com
lockPerfection@gmail[.]com
ithelp01@decorous[.]cyou
lockperfection@gmail[.]com
ithelp01@wholeness[.]business
mulierfagus@rdhos[.]com
ithelp02@decorous[.]cyou
[rescuer]@cock[.]li
ithelp02@wholness[.]business
107btc@protonmail[.]com
ithelpresotre@outlook[.]com
33btc@protonmail[.]com
cmd@jitjat[.]org
777decoder777@protonmail[.]com
coronaviryz@gmail[.]com
777decoder777@tfwno[.]gf
dec_helper@dremno[.]com
andrewmiller-1974@protonmail[.]com
dec_helper@excic[.]com
angelomartin-1980@protonmail[.]com
dec_restore@prontonmail[.]com
ballioverus@quocor[.]com
dec_restore1@outlook[.]com
beacon@jitjat[.]org
bitcoin@sitesoutheat[.]com
beacon@msgsafe[.]io
briansalgado@protonmail[.]com
best666decoder@tutanota[.]com
bugervongir@outlook[.]com
bitcoin@mobtouches[.]com
best666decoder@protonmail[.]com
encrypt2020@outlook[.]com
decoder83540@cock[.]li
fast-help@inbox[.]lv
decra2019@gmail[.]com
fuc_ktheworld1448@outlook[.]com
diniaminius@winrof[.]com
fucktheworld1448@cock[.]li
dirhelp@keemail[.]me
gartaganisstuffback@gmail[.]com
[email protected][.]ma
gavingonzalez@protonmail[.]com
emd@jitjat[.]org
gsupp@onionmail[.]org
encrypt2020@cock[.]li
gsupp@techmail[.]info
best666decoder@protonmail[.]com
helper@atacdi[.]com
ithelp@decorous[.]cyou
helper@buildingwin[.]com
ithelp@decorous[.]cyoum
helprestore@outlook[.]com
ithelp@wholeness[.]business
helptorestore@outlook[.]com

TOR Addresses

http://gvlay6u4g53rxdi5.onion/6-6pjEvFZDqKGImP5qrs2XAcUKUHwXPR1Z-TEoTUp59yNfI5FvTMcD8975LO4G5T11r
http://gvlay6u4g53rxdi5.onion/8-Q5nAvqllwd3MfqeE0pWJTLrpdpedeyBF-ytD1F9caSDprxEXHUk2x5QvViqNNwB15
http://gvlay6u4g53rxdi5.onion/8-C2kYOdVUD5w7FCS7Cjv7dywCHiB7gOvj-XDvJwwmKFQvHfdsIr0Kk0sukibsOMjnS
http://gvlay6u4g53rxdi5.onion/8-8L5bNFyD8DPX1p2M9EjmYfaLY1lAqg79-C9SR2i1pCCT8iTPT4LclPAYEfg57q8L7
http://gvlay6u4g53rxdi5.onion/21-l5PsticiJxSsATvI0EAoDaiDk9Ni5LN7-GbG7h1T5qj8G56DwL6ErAFV4VPAqgElY
http://gvlay6u4g53rxdi5.onion/8-8L5bNFyD8DPX1p2M9EjmYfaLYIlAqg79-GbkvQGP5SSsJ496BbaTuJIlnSXGoO8BR
http://gvlay6u4g53rxdi5.onion/6-6pjEvFZDqKGImP5qrs2xAcUKUHwXPR1Z-IYKZ5sg9aKsj0gmqagMRhAPyysmf3Ul9
http://gvlay6u4g53rxdi5.onion/8-HJ80arrsNcyop4g6Jcxr2U0wFE9CYxKE-KXTlwgVTO2o6DH9o0TZrdxr1mull3lt4
http://gvlay6u4g53rxdi5.onion/30WXEJKEM4IEY4256M0BQ0LN02ZNDD0BVI/4VISXPQ2IBACCVXHSNEOXV2VGWFIIL4W
http://gvlay6u4g53rxdi5.onion/5-WZ8TKeY6iVCXnJr5A1fMtXao7V5HnMSa-0cy030agZGkRhxMY2WQg46fymnvMDado
http://gvlay6u4g53rxdi5.onion/38-qSGLNKQbFBAEKEB29nqJa8rbiMqeeCtj-lTnNXMbYwGbIP4Ag2FMqQLRIi6SdtDqV
http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-Vi9ngqKVf2QPgXxOVPovjRinSwPYOtt6
http://gvlay6u4g53rxdi5.onion/6-iSm1B1Ehljh8HYuXGym4Xyu1WdwsR2Av-6tXiw1BImsqoLh7pd207Rl6XYoln7sId
http://gvlay6u4g53rxdi5.onion/8-grp514hncgblilsjtd32hg6jtbyhlocr5pqjswxfgf2oragnl3pqno6fkqcimqin
http://gvlay6y4g53rxdi5.onion/21-8P4ZLCsMETPaLw9MkSlXJsNZWdHe0rxjt-XmBgZLWlm5ULGFCOJFuVdEymmxysofwu
http://gvlay6u4g53rxdi5.onion/2l-8P4ZLCsMTPaLw9MkSlXJsNZWdHeOrxjtE9lck1MuXPYo29daQys6gomZZXUImN7Z
http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-DcaE9HeHywqSHvdcIwOndCS4PuWASX8g
http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-kB4rQXGKyxGiLyw7YDsMKSBjyfdwcyxo
http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-bET6JbB9vEMZ7qYBPqUMCxOQExFx4iOi
http://gvlay6u4g53rxdi5. onion/8-MO0Q7O97Hgxvm1YbD7OMnimImZJXEWaG-RbH4TvdwVTGQB3X6VOUOP3lgO6YOJEOW
http://gvlay6u4g53rxdi5.onion/8-gRp514hncgb1i1sjtD32hG6jTbUh1ocR-Uola2Fo30KTJvZX0otYZgTh5txmKwUNe
http://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-OWQwD1w1Td7hY7IGUUjxmHMoFSQW6blg
http://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-uGHwkkWCoUtBbZWN50sSS4Ds8RABkrKy
http://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-Tj3PRnQlpHc9OftRVDGAWUulvE80yZbc
http://gvlay6u4g53rxdi5.onion/8-Ww5sCBhsL8eM4PeAgsfgfa9lrqa81r31-tDQRZCAUe4164X532j9Ky16IBN9StWTH
http://gvlay6u4g53rxdi5.onion/21-wIq5kK9gGKiTmyups1U6fABj1VnXIYRB-I5xek6PG2EbWlPC7C1rXfsqJBlWlFFfY
qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
http://medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion/leakdata/paigesmusic-leakdata-closed-part1

MITIGATIONS

  • Implement a recovery plan that maintains and retains multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, or the cloud).
  • Implement network segmentation and maintain offline backups of data to ensure limited interruption to the organization.
  • Regularly back up data and password protect backup copies stored offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
  • Install, regularly update, and enable real-time detection for antivirus software on all hosts.
  • Install updates for operating systems, software, and firmware as soon as possible.
  • Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
  • Disable unused ports.
  • Consider adding an email banner to emails received from outside your organization.
  • Disable hyperlinks in received emails.
  • Enforce multifactor authentication (MFA).
  • Use National Institute of Standards and Technology (NIST) standards for developing and managing password policies:
    • Use longer passwords consisting of at least 8 characters and no more than 64 characters in length.
    • Store passwords in hashed format using industry-recognized password managers.
    • Add password user “salts” to shared login credentials.
    • Avoid reusing passwords.
    • Implement multiple failed login attempt account lockouts.
    • Disable password “hints.”
    • Refrain from requiring password changes unless there is evidence of password compromise.
      Note: NIST guidance suggests favoring longer passwords and no longer require regular and frequent password resets. Frequent password resets are more likely to result in users developing password “patterns” cyber criminals can easily decipher.
    • Require administrator credentials to install software.
  • Only use secure networks; avoid using public Wi-Fi networks.
  • Consider installing and using a virtual private network (VPN) to establish secure remote connections.
  • Focus on cybersecurity awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities, such as ransomware and phishing scams.

 

Recent Posts

BlackCat/ALPHV Ransomware IOCs

As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and...

IOCs Associated with Ranzy Locker Ransomware

The FBI first identified Ranzy Locker ransomware in late 2020 when the variant began to target victims in the United States. Unknown cyber criminals using Ranzy Locker ransomware had compromised more than 30 US businesses as of July 2021. The victims include the...

Conti Ransomware

While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployer's of the ransomware a wage rather than a...

Conti Ransomware

While Conti is considered a ransomware-as-a-service (RaaS) model ransomware variant, there is variation in its structure that differentiates it from a typical affiliate model. It is likely that Conti developers pay the deployer's of the ransomware a wage rather than a...

BlackMatter Ransomware

This advisory provides information on cyber actor tactics, techniques, and procedures (TTPs) obtained from a sample of BlackMatter ransomware analyzed in a sandbox environment as well from trusted third-party reporting. Using embedded, previously compromised...

Indicators of Compromise Associated with IcedID

FBI reporting has indicated a recent increase in IcedID malware acting as a “dropper,” infecting victims with additional malware. Examples of ransomware variants dropped by IcedID include Defray777, GlobeImposter, Cuba, Conti, and REvil (aka Sodinokibi). First...