Joint Advisory About MedusaLocker Ransomware Issued By FBI, CISA, & FinCEN

A joint cybersecurity alert regarding the MedusaLocker ransomware has been released by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN). According to the alert, affiliates of the MedusaLocker gang are enlisted to carry out attacks in exchange for between 55 percent and 60 percent of any ransom payments produced. In the United States, MedusaLocker has conducted attacks on a variety of targets since its initial discovery in September 2019. 

Once attackers have acquired access to victims’ networks, a PowerShell script that spreads MedusaLocker’s ransomware over the network is launched using a batch file. The infected system may then discover associated hosts and networks via Internet Control Message Protocol (ICMP) and shared storage via Server Message Block (SMB) Protocol by altering the EnableLinkedConnections value inside the compromised machine’s registry. In order to prevent security software from detecting the ransomware, MedusaLocker disables security, accounting, and forensic applications before encrypting files and restarting the computer in safe mode. All files are encrypted, with the exception of those that are essential for the victims’ devices to operate. Local backups and shadow copies are removed, and start-up recovery options are disabled, as is typical with ransomware. According to the alert, several attack vectors are used to obtain initial access to networks, such as spam and phishing email campaigns, some of which directly connect the ransomware payloads to emails. Exploiting vulnerable Remote Desktop Protocol (RDP) configurations, however, is by far the most frequent attack strategy. The organization is also known to employ indicators of compromise (IoCs), which have been provided together with IP addresses, Bitcoin wallet addresses, email addresses, and TOR addresses.

Within the joint advisory, a number of mitigations have been recommended. These include implementing a recovery plan, implementing network segmentation, regularly backing up data, installing real-time detection for antivirus software, installing updates for operating systems, auditing user accounts, disabling unused ports, enforcing multifactor authentication, installing and using virtual private networks, and ensuring cybersecurity awareness and training among staff members. In the event that a breach involving MedusaLocker does take place, the FBI has asked victims to report the incident to the local FBI field office or via the CISA website.