Ransomware .infected: learn details about the operation of the MedusaLocker ransomware variant - ISH Tecnologia

Ransomware .infected: learn details about the operation of the MedusaLocker ransomware variant

By Heimdall and ISH DFIR: A ransomware variant of the MedusaLocker family, known as ".infected", identified in mid-September 2019, continues to operate and affect several organizations around the world.

This ransomware works by encrypting data and then demanding that the organization make a payment in exchange for a key/tool to decrypt the files. The ransom note usually contains instructions for the victim to contact the attackers.

Ransomware evolved into Ransomware-as-a-Service (RaaS) and, by 2022, the group would have introduced DLS (Data Leak Site) for compromised victims.

Read on for details of the TTPs (Tactics, Techniques and Procedures) used by the Ransomware operator, collected on the basis of the activities of our Incident Response team (DFIR).

About MedusaLocker

MedusaLocker has had 2 phases throughout its operation, one before TOR v3 and the other after TOR v3. In addition, this variant does not add an extension such as ".medusa" to your encrypted file, as they add various other names to the extensions, such as ".skynet, .marlock, .farlock", among others.

After encryption, the group directs the victim to log in and start negotiating for victims through the portal.

MedusaLocker ransomware negotiation portal

And if the victim doesn't make the payment or negotiate, the group publishes the victim's data on another site, known as a DLS (data leak site). We accessed both links provided by the group and, at the time of access, they were not in operation.

Analysis of the attack and the .infected Ransomware

It was observed that the threat actor connected via RDP (Remote Desktop Protocol) with an external IP address located in Russia.

After access via RDP, the threat actor began executing commands used and identified in various cyber attacks, such as: SMBEnum, SMBClient, WMIExec and SMBExec via PowerShell.

Commands used via RDP through PowerShell

In addition, the commands observed are part of the tool available on Github known as "Invoke-TheHash", which contains PowerShell functions to perform WMI and SMB hash tasks. It's worth noting that you don't need administrator privileges to run this script.

After gaining access, several brute force attempts were observed on other devices in the network, since several external IP addresses were used for network logon attempts.

It was also identified that one of the users used to log in had several files in folders in the user's directory, among them artifacts called "3.exe" and "In.exe". In addition to the two tools, other tools such as "Advanced_Port_Scanner.2.5.3839.exe" and "mimik.exe" were identified and executed by the suspicious user.

Next, the creation of a new user was identified, bearing in mind that after the initial RDP access, it took six minutes to create a new account.

One of the curious facts is that the new user ended up adding one of the previously identified files (In.exe) directly to the "Run" registry key, located in Microsoft\Windows\CurrentVersion\Run, indicating that the file would be executed as soon as the system was booted. The key change occurred 3 hours after the user was created.

Another configuration used for persistence in this system is that the user created has been configured so that their password never expires, thus using access whenever possible to return.

Subsequently, the device was restarted and the present attack using a ransomware payload was identified, displaying the Ransom Note to the user.

Redemption note presented to the user

In view of this, the team analyzed the artifact in order to describe how it worked technically, as well as providing IOC and IOA related to the attack.

analysis of this file, it was possible to verify that it had been compiled 5 days before the initial access with RDP, using Microsoft Visual C/C++, with a size of 425472 bytes. Another curious fact is that the .pdb file has a specific path using: D:\Education\locker\bin\stub_win_x64_encrypter.pdb.

The .pdb file corresponds to the association to the compiled code in languages such as C/C++, practically the file contains deputation information which is used by developers and debuggers to map the machine code to the original source code.

.pdb file associated with the ransomware code

In the static analysis of the code itself, commands used by the payload to terminate certain processes were observed, as well as to query or use network tools native to the Operating System.

Once executed, the process generates a command line window detailing various actions carried out by the process and, when initialized, the process defines various settings such as the Public Key used, the text of the note and the extension of the post-encryption files.

Ransomware startup configuration
Extension ".infected" and Public Key used by Ransomware

The ransomware process executes commands to ensure as much impact as possible, including in this case shutting down database services, deleting files for recovery and shutting down backup services.

Commands used to damage the operating system
Processes created by Ransomware through CMD

The ransomware also deletes certain types of files and folders in the operating system, such as:

Extensions and folders ignored by Ransomware encryption

The ransomware then starts scanning and encrypting the host's files. It's worth noting that the ransomware uses a combination of the AES and RSA-2048 algorithms for encryption.

Data encryption process

The analysis confirmed that this process creates a registry execution key called "BabyLockerKZ" for the current user targeting the location of the malicious file to ensure some kind of persistence on the host.

Registry in the Windows \Run key

After encryption, the Ransomware appends the extension ".infected" to the encrypted files and dumps the Ransom Note called "HOW_TO_BACK_FILES.html".

Therefore, we have added the Tactics, Techniques and Procedures used by the group/affiliate in this identified attack to the specific section, thus facilitating identification and action in future detection:


Command and Scripting Interpreter: PowerShell T1059.001The member used PowerShell to execute a series of enumeration commands.
Command and Scripting Interpreter: PowerShell T1059.003The ransomware sample uses cmd to launch attacks and interrupt services.
API Native T1106The affiliate and payload used native APIs to interact with application programming.

Boot or Logon Autostart Execution T1547The adversary can use the ransomware to automatically execute the program during system startup or logon in order to persist.
Create Account T1136The adversary has created valid accounts in the network environment.
Privilege Escalation

Boot or Logon Autostart Execution T1547The adversary can use the ransomware to automatically execute the program during system startup or logon for persistence and privilege.
Abuse Elevation Control Mechanism: Bypass User Account Control T1548.002The threat actor uses the UAC mechanisms to elevate privileges.
Defense Evasion

Modify Registry T1112The adversary modified registry keys to execute the ransomware.
Access credential

Brute Force T1110The adversary was identified as carrying out brute force attacks on accounts in the victim's environment.
OS Credential Dumping T1003Identified that the threat actor used tools to dump credentials.
Lateral Movement

Remove Services: SMB/Windows Admin Shares T1021.002The adversary used valid accounts to interact with the network share using Server Message Block (SMB).
Remove Services: Remote Desktop Protocol T1021.001The adversary used the RDP service to make the initial connection and start the attack.

File and Directory Discovery T1083The payload uses file and directory enumeration to cause the maximum number of encrypted files.

Data Encrypted for Impact T1486The ransomware encrypts data using AES and RSA-2048
Service Stop T1489The ransomware paralyzes services running on the system.
Inhibit System Recovery T1490The ransomware executes commands aimed at inhibiting the recovery of the operating system, deleting backups and VSS.

Diamond Model

According to the analysis carried out, it was possible to map, using the Diamond Model, the operation carried out by the MedusaLocker Ransomware affiliate of the ".infected" variant.

Diamond Model of the MedusaLocker Ransomware based on the attack

Indicators of Commitment (IOCs)

ISH Tecnologia handles various indicators of compromise collected through open and closed sources, as well as analysis carried out by the Heimdall security team.

In view of this, below we list all the Indicators of Commitment (IOCs) related to the analysis of the artifact(s) in this report:

Artifact Commitment Indicators
Artifact Commitment Indicators
Artifact Commitment Indicators
Artifact Commitment Indicators
Artifact Commitment Indicators
Artifact Commitment Indicators

URL, IP and domain indicators

Network Commitment Indicators

Note: The links and IP addresses listed above may be active; be careful when manipulating these IoCs, to avoid clicking on them and becoming a victim of the malicious content hosted on the IoC.


Leave a Comment

Your e-mail address will not be published. Required fields are marked with *