Security Reports

Threat Assessment Report: Medusa Ransomware (AKA MedusaLocker)

January 5, 2024

In the ever-evolving landscape of cybersecurity threats, the Medusa Ransomware (MedusaLocker) has emerged as a formidable adversary. Authored by our expert, Parameswaran Ganesan, this comprehensive DACTA report delves into the intricate workings of Medusa Ransomware, first identified in 2019. Our analysis categorizes ransomware into five key types, providing a clear understanding of their distinct mechanisms and impact. The report also sheds light on the tactics of Advanced Persistent Threat groups like EmpireMonkey, offering a data-driven perspective from the analysis of 1000 ransomware samples. Essential for professionals navigating the complex world of digital security, this report not only details the nuances of MedusaLocker but also equips readers with effective strategies for mitigation, underscoring the importance of robust cybersecurity measures in today's digital age.

Introduction to Ransomware

Ransomware incidents have seen a marked increase since 2021. This uptick, notably highlighted by a recent security breach within the hospitality sector in the Philippines, has prompted the DACTA team to commence a thorough examination of the ransomware landscape. 

It is recognized that ransomware can be classified into five distinct categories, as outlined below:

  1. Crypto Ransomware or Encryptors
  2. Lockers
  3. Scareware
  4. Doxware or Leakware
  5. RaaS (Ransomware as a Service)

An illustrative diagram is provided to detail the ransomware attack vectors at a high level.

Illustrative diagram of ransomware attack


Historical Context of Medusa Ransomware

First seen in September 2019 as MedusaLocker, alternatively known as AKO Doxware, AKO Ransomware, or MedusaReborn, commenced its campaign by infiltrating and encrypting Windows-based systems globally. Prior to execution, MedusaLocker prompts the system to reboot in safe mode to circumvent active security measures. It strategically refrains from encrypting executable files to preserve the functionality of the system for ransom payment processes. MedusaLocker employs a sophisticated blend of AES and RSA-2048 encryption standards to render brute-force decryption attempts futile.

Profile of the EmpireMonkey Collective

Notable Advanced Persistent Threat (APT) entities deploying MedusaLocker include is EmpireMonkey, CobaltGoblin

EmpireMonkey, a cybercriminal syndicate with financial incentives, achieved notoriety following their February 2019 cyber-heist targeting the Bank of Valletta, resulting in an estimated €13 million in losses, although a significant portion of the funds was later recovered. The attack vector likely involved spear-phishing campaigns directed at the bank's employees, a strategy evidenced by similar phishing activities reported by HSBC Malta in October 2018.

Ransomware Trend Analysis

DACTA's comprehensive examination of 1000 ransomware samples from Malware Bazaar revealed distinct patterns in attack prevalence, with notable surges in June, August, and November. The consistency of .exe file types as a vector for these attacks underscores the imperative for stringent executable management and advanced endpoint security measures.

Data collected from ransomware samples from Malware Bazaar


The consistency of .exe file types (see below) as a delivery method for these attacks underscores the need for stringent executable management policies and endpoint security solutions. 

Ransomware by file type shows the danger of .exe files as they are most prevalent and executable files


Data-Driven Insights

  • The significant increase in ransomware activity in June and November might be correlated with financial quarter closings, during which organizations may be more willing to pay ransoms to avoid operational disruptions.
  • The prevalence of .exe file types in ransomware dissemination suggests attackers continue to rely on them due to their effectiveness in evading detection and their ability to execute malicious payloads directly on a victim's system.

Observations on Medusa Ransomware Impact

Data published in December suggests a correlation with the increased detection of ransomware in November. The referenced images are sourced from the Medusa Blog, accessible via the provided Onion URL : http[:]//medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd[.]onion/

Homepage of the Medusa blog

Medusa's most recent attack showing ATCO Products Inc sensitive company information that was published on the Medusa blog


Analysis of a Medusa Ransomware Sample

The following sample hash SHA256 51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51 was used to document the malware’s behavior on a sandbox environment. 

The debug artifacts indicate that the file in question was stored on an external drive within a directory named "locker." Additionally, the file appears to utilize encryption technology, which suggests its classification could encompass both 'Locker' and 'Crypto' ransomware categories. A comprehensive manual analysis of the file yielded the subsequent information.     

Behavioral Analysis of the Malware Sample

The malware exhibits a range of capabilities, such as anti-debugging measures, XOR-based encryption, keylogging functionality, and various interactions with the Windows operating system, including registry access, security token manipulation, and file system operations. Detailed behaviors for the identified malware functions include:

  • Anti-DBG: It possesses the ability to detect debugging environments.
  • XOR: Employs XOR encryption algorithms to obfuscate its code or data.
  • Keylogger: Captures and logs keystroke data on a host computer or mobile device.
  • Windows Registry Interaction: Engages with the Windows Registry system for configuration changes or data extraction.
  • Windows Security Token Interaction: Manipulates Windows security tokens, potentially altering permissions or escalating privileges.
  • Windows File Operations: Executes file operations within the Windows file system to modify, delete, or create files.

Furthermore, the malware imports various functions from a series of Dynamic Link Libraries (DLLs), indicative of sophisticated operational capabilities:

  1. CRYPT32.dll: Utilized for cryptographic operations such as encryption, decryption, and managing digital signatures.
  2. SHLWAPI.dll: Employed for shell-related functions and user interface alterations.
  3. RstrtMgr.DLL: Interacts with the Restart Manager, potentially for system reboot manipulation or to bypass security protocols during startup.
  4. MPR.dll: Engaged for network-related functions or to modify network settings.
  5. KERNEL32.dll: Used for core system-level actions, including process management, memory allocation, and file handling.
  6. USER32.dll: Involved in operations related to user interface elements and interactions.
  7. ADVAPI32.dll: Central to tasks that involve registry edits, system authentication processes, and access to advanced system services.
  8. SHELL32.dll: Applied in managing file operations, creating shortcuts, and executing shell-related tasks.

MITRE ATT&CK Framework Alignment

The ransomware's strategies align with MITRE ATT&CK tactics across several domains, including Collection, Defense Evasion, Discovery, Execution, and Persistence.

Tactic: Collection

  • T1056.001 Input Capture: Keylogging

Tactic: Defense Evasion

  • T1134.004 Access Token Manipulation: Parent PID Spoofing
  • T1140 Deobfuscate/Decode Files or Information
  • T1222 File and Directory Permissions Modification
  • T1564.003 Hide Artifacts: Hidden Window
  • T1070 Indicator Removal
  • T1027 Obfuscated Files or Information
  • T1027.005 Obfuscated Files or Information: Indicator Removal from Tools

Tactic: Discovery

  • T1083 File and Directory Discovery
  • T1057 Process Discovery
  • T1012 Query Registry
  • T1082 System Information Discovery
  • T1614 System Location Discovery

Tactic: Execution

  • T1129 Shared Modules

Tactic: Persistence

  • T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

File Signature and Behavioral Patterns

Analysis of file signatures and behaviors reveals various tactics employed by the ransomware, including system queries, process crashes, memory allocation, evasion techniques, and indications of ransomware encryption procedures, as seen below:

Description

Number of Events

Queries for the computer name

13

Checks if process is being debugged by a debugger

1

Command line console output was observed

50 out of 2080

Uses windows apis to generate a cryptographic key

5

This executable has a pdb path

1

Checks amount of memory in system, this can be used to detect virtual machines with a low amount of memory available

1

The file contains an unknown pe resource name possibly indicative of a packer

1

One or more processes crashed

1

Allocates read-write-execute memory (usually to unpack itself)

1

A process attempted to delay the analysis task

1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation

3

Creates executable files on the filesystem

16

Creates a suspicious process

50 out of 63

Executes one or more wmi queries

12

Checks for the locally unique identifier on the system for a suspicious privilege

13

Potentially malicious urls were found in the process memory dump

50 out of 123

Uses windows utilities for basic windows functionality

50 out of 69

Looks for the windows idle time to determine the uptime

1

Installs itself for autorun at windows startup

2

Attempts to detect sandbox through the presence of a file

1

Creates known hupigon files, registry keys and/or mutexes

1

Modifies boot configuration settings

6

Found urls related to tor in process memory dump

1

Runs bcdedit commands specific to ransomware

1

Writes a potential ransom message to disk

50 out of 556

Removes the shadow copy to avoid recovery of the system

1

Uses wbadmin utility to delete backups or configuration to prevent recovery of the system

3

Uses suspicious command line tools or windows utilities

3

Performs 1994 file moves indicative of a ransomware file encryption process

50 out of 1994

Appends a new file extension or content to 1994 files indicative of a ransomware file encryption process

50 out of 1994

Drops 1559 unknown file mime types indicative of ransomware writing encrypted files back to disk

50 out of 1558

Strategies for Ransomware Mitigation

A robust defense against ransomware necessitates a multi-layered security strategy, incorporating registry scanning, sandboxing, backdoor inspection, and behavior-based scanning for dynamic threat detection.

Registry Scanning:

  • Detects subtle system registry changes.

Sandboxing:

  • Isolates suspicious files in a secure virtual environment.
  • Observes behavior without system compromise.

Backdoor Inspection:

  • Monitors network traffic for anomalies.
  • Identifies potential unauthorized access points.

Behavior-Based Scanning:

  • Dynamically analyzes real-time file and process behavior.
  • Identifies malicious activities without known signatures.

Cybersecurity Solutions by DACTA

DACTA provides expert cybersecurity services, proactively defending against digital threats. By partnering with DACTA, organizations can strengthen their security posture and foster a resilient digital ecosystem. Contact DACTA to secure your digital assets against the evolving ransomware landscape.

Under attack or experiencing a security incident?

If you're experiencing an active security incident and need immediate assistance, contact the DACTA Incident Response Team (IRT) at [email protected].

You might also be interested in