CyberWire Daily - CISA Alert AA22-181A – #StopRansomware: MedusaLocker. [CISA Cybersecurity Alerts]
Episode Date: June 30, 2022CISA, the FBI, the Department of the Treasury, and the Financial Crimes Enforcement Network are releasing this alert to provide information on MedusaLocker ransomware. Observed as recently as May 2022..., MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol to access victims’ networks. AA22-181A Alert, Technical Details, and Mitigations Stop Ransomware CISA Ransomware Guide CISA No-cost Ransomware Services All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. Original release date, June 30, 2022.
CISA, the FBI, the Department of the Treasury, and the Financial Crimes Enforcement Network are releasing this alert to provide information on MedusaLocker ransomware.
Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities
in remote desktop protocol to access victims' networks.
The MedusaLocker actors encrypt the victims' data and leave a ransom note with communication instructions in every folder containing an encrypted file.
The note directs victims to provide ransomware payments to a specific Bitcoin wallet address.
MedusaLocker appears to operate as a ransomware-as-a-service model based on the observed split of ransom payments.
to operate as a ransomware as a service model based on the observed split of ransom payments.
Typical ransomware as a service models
involve the ransomware developer and various affiliates
that deploy the ransomware on victim systems.
MedusaLocker ransomware actors most often gain access
to victim devices through vulnerable
remote desktop protocol configurations.
Actors also frequently use email phishing
and spam email campaigns,
directly attaching the ransomware to the email
as initial intrusion vectors. MedusaLocker ransomware uses a batch file to execute a
malicious PowerShell script. This script propagates MedusaLocker throughout the network by editing the
enable linked connections value within the infected machine's registry, which then allows the infected
machine to detect attached hosts and networks via internet control message protocol and to detect attached hosts and networks via Internet Control Message Protocol and to detect shared storage via Server Message Block Protocol.
The resources linked in the show notes include indicators of compromise,
a full MITRE attack mapping of Medusa Locker TTPs, and mitigation actions.
This joint cybersecurity advisory is part of an ongoing hashtag stop ransomware effort
to publish advisories for network defenders that detail ransomware variants
and ransomware threat actors.
These
hashtag StopRansomware advisories
include recently and historically observed
tactics, techniques, and procedures
and indicators of compromise to help
organizations protect against ransomware.
Visit StopRansomware.gov
for free resources and to learn more about
other ransomware threats.
All organizations should report incidents and anomalous activity to CISA's 24-7
Operations Center at central at cisa.dhs.gov or 888-282-0870 and to the FBI via your local
FBI field office or the FBI's 24-7 sidewatch at 855-292-3937 or sidewatch at fbi.gov.
This report was written by CISA, the UnitedISA Cybersecurity Alert. in the show notes.
This has been a CISA Cybersecurity Alert.