By Heimdall and ISH DFIR: A ransomware variant of the MedusaLocker family, known as ".infected", identified in mid-September 2019, continues to operate and affect several organizations around the world.
This ransomware works by encrypting data and then demanding that the organization make a payment in exchange for a key/tool to decrypt the files. The ransom note usually contains instructions for the victim to contact the attackers.
Ransomware evolved into Ransomware-as-a-Service (RaaS) and, by 2022, the group would have introduced DLS (Data Leak Site) for compromised victims.
Read on for details of the TTPs (Tactics, Techniques and Procedures) used by the Ransomware operator, collected on the basis of the activities of our Incident Response team (DFIR).
About MedusaLocker
MedusaLocker has had 2 phases throughout its operation, one before TOR v3 and the other after TOR v3. In addition, this variant does not add an extension such as ".medusa" to your encrypted file, as they add various other names to the extensions, such as ".skynet, .marlock, .farlock", among others.
After encryption, the group directs the victim to log in and start negotiating for victims through the portal.
And if the victim doesn't make the payment or negotiate, the group publishes the victim's data on another site, known as a DLS (data leak site). We accessed both links provided by the group and, at the time of access, they were not in operation.
Analysis of the attack and the .infected Ransomware
It was observed that the threat actor connected via RDP (Remote Desktop Protocol) with an external IP address located in Russia.
After access via RDP, the threat actor began executing commands used and identified in various cyber attacks, such as: SMBEnum, SMBClient, WMIExec and SMBExec via PowerShell.
In addition, the commands observed are part of the tool available on Github known as "Invoke-TheHash", which contains PowerShell functions to perform WMI and SMB hash tasks. It's worth noting that you don't need administrator privileges to run this script.
After gaining access, several brute force attempts were observed on other devices in the network, since several external IP addresses were used for network logon attempts.
It was also identified that one of the users used to log in had several files in folders in the user's directory, among them artifacts called "3.exe" and "In.exe". In addition to the two tools, other tools such as "Advanced_Port_Scanner.2.5.3839.exe" and "mimik.exe" were identified and executed by the suspicious user.
Next, the creation of a new user was identified, bearing in mind that after the initial RDP access, it took six minutes to create a new account.
One of the curious facts is that the new user ended up adding one of the previously identified files (In.exe) directly to the "Run" registry key, located in Microsoft\Windows\CurrentVersion\Run, indicating that the file would be executed as soon as the system was booted. The key change occurred 3 hours after the user was created.
Another configuration used for persistence in this system is that the user created has been configured so that their password never expires, thus using access whenever possible to return.
Subsequently, the device was restarted and the present attack using a ransomware payload was identified, displaying the Ransom Note to the user.
In view of this, the team analyzed the artifact in order to describe how it worked technically, as well as providing IOC and IOA related to the attack.
analysis of this file, it was possible to verify that it had been compiled 5 days before the initial access with RDP, using Microsoft Visual C/C++, with a size of 425472 bytes. Another curious fact is that the .pdb file has a specific path using: D:\Education\locker\bin\stub_win_x64_encrypter.pdb.
The .pdb file corresponds to the association to the compiled code in languages such as C/C++, practically the file contains deputation information which is used by developers and debuggers to map the machine code to the original source code.
In the static analysis of the code itself, commands used by the payload to terminate certain processes were observed, as well as to query or use network tools native to the Operating System.
Once executed, the process generates a command line window detailing various actions carried out by the process and, when initialized, the process defines various settings such as the Public Key used, the text of the note and the extension of the post-encryption files.
The ransomware process executes commands to ensure as much impact as possible, including in this case shutting down database services, deleting files for recovery and shutting down backup services.
The ransomware also deletes certain types of files and folders in the operating system, such as:
The ransomware then starts scanning and encrypting the host's files. It's worth noting that the ransomware uses a combination of the AES and RSA-2048 algorithms for encryption.
The analysis confirmed that this process creates a registry execution key called "BabyLockerKZ" for the current user targeting the location of the malicious file to ensure some kind of persistence on the host.
After encryption, the Ransomware appends the extension ".infected" to the encrypted files and dumps the Ransom Note called "HOW_TO_BACK_FILES.html".
Therefore, we have added the Tactics, Techniques and Procedures used by the group/affiliate in this identified attack to the specific section, thus facilitating identification and action in future detection:
| Tactics | Technique | Details |
| Execution TA0002 | Command and Scripting Interpreter: PowerShell T1059.001 | The member used PowerShell to execute a series of enumeration commands. |
| Command and Scripting Interpreter: PowerShell T1059.003 | The ransomware sample uses cmd to launch attacks and interrupt services. | |
| API Native T1106 | The affiliate and payload used native APIs to interact with application programming. | |
| Persistence TA0003 | Boot or Logon Autostart Execution T1547 | The adversary can use the ransomware to automatically execute the program during system startup or logon in order to persist. |
| Create Account T1136 | The adversary has created valid accounts in the network environment. | |
| Privilege Escalation TA0004 | Boot or Logon Autostart Execution T1547 | The adversary can use the ransomware to automatically execute the program during system startup or logon for persistence and privilege. |
| Abuse Elevation Control Mechanism: Bypass User Account Control T1548.002 | The threat actor uses the UAC mechanisms to elevate privileges. | |
| Defense Evasion TA0005 | Modify Registry T1112 | The adversary modified registry keys to execute the ransomware. |
| Access credential TA0006 | Brute Force T1110 | The adversary was identified as carrying out brute force attacks on accounts in the victim's environment. |
| OS Credential Dumping T1003 | Identified that the threat actor used tools to dump credentials. | |
| Lateral Movement TA0008 | Remove Services: SMB/Windows Admin Shares T1021.002 | The adversary used valid accounts to interact with the network share using Server Message Block (SMB). |
| Remove Services: Remote Desktop Protocol T1021.001 | The adversary used the RDP service to make the initial connection and start the attack. | |
| Discovery TA0007 | File and Directory Discovery T1083 | The payload uses file and directory enumeration to cause the maximum number of encrypted files. |
| Impact TA0040 | Data Encrypted for Impact T1486 | The ransomware encrypts data using AES and RSA-2048 |
| Service Stop T1489 | The ransomware paralyzes services running on the system. | |
| Inhibit System Recovery T1490 | The ransomware executes commands aimed at inhibiting the recovery of the operating system, deleting backups and VSS. |
Diamond Model
According to the analysis carried out, it was possible to map, using the Diamond Model, the operation carried out by the MedusaLocker Ransomware affiliate of the ".infected" variant.
Indicators of Commitment (IOCs)
ISH Tecnologia handles various indicators of compromise collected through open and closed sources, as well as analysis carried out by the Heimdall security team.
In view of this, below we list all the Indicators of Commitment (IOCs) related to the analysis of the artifact(s) in this report:
URL, IP and domain indicators
Note: The links and IP addresses listed above may be active; be careful when manipulating these IoCs, to avoid clicking on them and becoming a victim of the malicious content hosted on the IoC.