MedusaLocker Ransomware

MedusaLocker Ransomware has been active since September 2018, being distributed through phishing pages and attached directly to emails.

A SentinelOne report outlines some of the features of MedusaLocker. When executed, MedusaLocker will check that “EnableLinkedConnections” is set to 1, in order to allow it to encrypt mapped drives at will. It will change the setting and restart “LanmanWorkstation” to allow access to remote, mapped drives. MedusaLocker will attempt to terminate the processes of some security applications, as well as processes associated with malware analysis.

It will stop services such as Apache, MS SQL, and QuickBooks services, to make their data files available for encryption. As is common to ransomware, shadow copies and backups are deleted, and MedusaLocker also disables the system startup recovery options. Files are encrypted using AES 256 with the key encrypted using an RSA-2048 public key. After encrypting files, MedusaLocker will sleep for a short period of time and then search for any new files eligible for encrypting.

It will also configure a scheduled task to repeat the process at 15 or 30 minute intervals. A ransom note will be left in each directory which contains encrypted files that instructs the victim to contact the email addresses provided in the ransom note to obtain a decryption key.

Indicators of Compromise

Hashes

• dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95
• 0432b4ad0f978dd765ac366f768108b78624dab8704e119181a746115c2bef75
• d6223b02155d8a84bf1b31ed463092a8d0e3e3cdb5d15a72b5638e69b67c05b7
• f31b9f121c6c4fadaa44b804ec2a891c71b20439d043ea789b77873fa3ab0abb
• db11260b9eff22f397c4eb6e2f50d02545dbb7440046c6f12dbc68e0f32d57ce