Threat Coverage: How FortiEDR protects against MedusaLocker ransomware

Introduction

MedusaLocker ransomware was first identified in 2019, and several variants have continued to emerge in recent years. The MedusaLocker ransomware appears to operate as a Ransomware-as-a-Service (RaaS), where other bad actors can use to deploy on their victims. Different variants encrypt files and rename them with different extension names, such as “.1btc”,“.marlock02” ,“.readinstructions”,“.bec” ,“.mylock”,“.jpz.nz”, “.bomber”,”.boroff”,“.breakingbad”, etc. MedusaLocker also uses different filenames for its ransom notes based on the different variant.

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury and the Financial Crimes Enforcement Network (FinCEN) issued an alert regarding MedusaLocker ransomware given a recent spike in activity . In this article, we will take a closer look into how MedusaLocker executes, modifies the registry for persistence, executes commands to prevent file recovery, terminates services and selects files to encrypt. We will also look in detail at what security events are generated if this ransomware is executed in a FortiEDR protected environment.

Attack Diagram

Analysis

The MedusaLocker sample analyzed in this article is a 32-bit Windows executable. On execution, the sample begins encrypting files immediately. As part of the encryption process the MedusaLocker ransomware drops a copy of the ransom note to every accessible folder.

Initial execution reveals that the sample checks if it is running in a higher privileged mode, such as admin level. If not, it will spawn another process of itself with a higher privilege as Administrator, using ShellExecuteExW API with “runas” parameter, as shown in Figure 1.

The “runas” parameter launches an application as Administrator. User Account Control (UAC) will prompt the user for consent to run the application elevated or enter the credentials of an administrator account used to run the application.

Figure 1. Code snapshot that shows the use of ShellExecuteExW API with the ‘runas’ parameter to execute the malware in Administrator mode

File Execution Attempt

FortiEDR detects attempts to execute the MedusaLocker binary, preventing it from successfully executing. As part of FortiEDR’s pre-execution policy, the MedusaLocker binary was analyzed by a number of online sandboxes that form part of Fortinet Cloud Services, and was classified it as malicious, as shown in Figure 2 below.

Figure 2. FortiEDR detection of the file execution attempt of the malicious MedusaLocker executable (in this case with filename ‘Sample01.exe’.

Running in Admin mode

Once MedusaLocker restarts in Administrator mode, it maps the network drives connected to infected endpoints by enabling EnableLinkedConnections registry entry. To allow the EnableLinkedConnections registry entry to take effect, MedusaLocker stops and restarts the LanmanWorkstation service. The main purpose of enabling EnableLinkedConnections registry entry is to make sure that the mapped network drives are available for the ransomware to encrypt the files found in the mapped network drives.

Figure 3 shows the snapshot of the code that enables the EnableLinkedConnections registry entry, and the code that restarts the LanmanWorkstation service.

Figure 3. Code snapshot to map the drives connected to the infected machine

Persistence

MedusaLocker creates and sets the Autorun registry key, "Software\\Microsoft\\Windows\\CurrentVersion\\Run”, pointing to the malware executable. This ensures the execution of the malware even after reboot (T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), as shown in Figure 4.

Figure 4. Code snapshot that sets the Autorun registry key

FortiEDR detects and blocks the creation of Autorun registry key created by MedusaLocker, as shown in Figure 5.

Figure 5. FortiEDR protects the endpoint by blocking the creation of Autorun registry

Preventing recoveries of important files

As part of its execution, MedusaLocker executes a series of commands via CreateProcessW API to prevent recoveries of essential files by deleting shadow copies, deleting backup files, and controlling the boot status policy by ignoring errors if there is a failed boot, failed shutdown, or failed checkpoint. These commands are all executed as child processes of the MedusaLocker process and provide excellent detection opportunities, especially given none of the commands are obfuscated. The executed commands are all Windows LOLBins commonly employed by ransomware samples to hamper recovery efforts, see Table 1 for details of each of the commands.

Table 1. List of commands used by MedusaLocker to prevent recoveries of important files

Figure 6 shows the code that is used to execute the commands listed in Table 1.

Figure 6. Code snapshot that executes the command from table 1

MedusaLocker also empties the recycle bin to ensure that even deleted files will not be recovered, using SHEmptyRecycleBinW API, as shown in Figure 7.

Figure 7. Code snapshot that empties the recycle bin

FortiEDR detects and blocks access to the Volume Shadow Copy services of the endpoint, as shown in Figure 8. Modification of the Volume Shadow Copy service is a common part of ransomware operations, as is manipulating or deleting existing copies to inhibit information recovery.

Figure 8. FortiEDR detects and blocks access to the Volume Shadow Copy service

Terminates services

MedusaLocker terminates services that belong to accounting software, hyper-v, database software, and other applications. It first checks if the service is active and running by using OpenServiceW API, and terminates the service by notifying the service to stop using SERVICE_CONTROL_STOP code to ControlService API, as shown in figure 9. The main reason MedusaLocker terminates the said services is to be able to encrypt the data files associated with these services. Table 2 shows the list of services that ransomware terminates.

Figure 9. Code snapshot that terminates service

Table 2. List of services to be terminated

Ransom note

After removing the ability for system owners to be able to easily restore the infected system from shadow copies or backups and terminating a list of services, MedusaLocker drops a copy of the ransom note to every accessible folder starting at the Desktop folder. Other variants of this ransomware only drop a copy of the ransom note to a folder that has encrypted files. This particular variant drops a ransom note regardless if the folder has encrypted files or not. See Figure 10 and 11.

Figure 10. Code snapshot that drops the ransom note

Figure 11. MedusaLocker ransom note content

Selecting files to encrypt

MedusaLocker ransomware avoids infecting files in “Windows” folder. It also makes sure that it is not encrypting any file that has already been encrypted (files with extension name “.[thetan@nerdmail.co].ner” ), it avoids infecting the current MedusaLocker executable file, and it avoids encrypting the ransom note file ("!!!HOW_TO_DECRYPT!!!.txt").

The ransomware has a whitelist of extension names to avoid encrypting the associated files, as shown in Table 3. The extension name is case-sensitive, so it will still encrypt the file even if the extension name is in the whitelist but in a different case. An example, MedusaLocker will avoid files with extension name “.dat”, but will still encrypt files with extension name “.DAT”, “.Dat”, or “.daT”.

Once a file has been encrypted, MedusaLocker will rename it with an extension name “[884ae5eafd].[thetan@nerdmail.co].ner”. See Figure 12.

Table 3. Whitelist of extension names

Figure 12. Encrypted files and the ransom note

Threat Hunting

MedusaLocker changes many of its atomic indicators between infections meaning there are limited indicators specific to MedusaLocker compared to other ransomware variants. Because of this, majority of the Threat Hunting rules below are more generic in nature which allows them to be used to detect anomalous behaviour associated with common ransomware TTPs.

To search for persistence using Autorun registry key:

Behavior:("Persistence") AND Registry.Path:("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run")

To search for the deletion of shadowcopy("wmic.exe SHADOWCOPY delete /nointeractive"):

Type:("Process Creation") AND Behavior:("Fileless" OR "Backup deletion") AND Target.Process.File.Name:("WMIC.exe") AND Target.Process.CommandLine:("SHADOWCOPY delete \/nointeractive")

To search for the execution of the command, "net stop VSS & sc config VSS start= disabled":

Type:("Process Creation") AND Target.Process.File.Name:("net.exe") AND Target.Process.CommandLine:("stop VSS & sc config VSS start\= disabled")

To search for the execution of the command, "sc config VSS start= Demand & net start VSS":

Type:("Process Creation") AND Behavior:("Persistence") AND Target.Process.File.Name:("sc.exe") AND Target.Process.CommandLine:("config VSS start\= Demand & net start VSS")

To search for the execution of the command, "icacls.exe \"{A-Z}:\" /grant {Username}:F /T /C /Q":

Type:("Process Creation") AND Target.Process.File.Name:("icacls.exe") AND Target.Process.CommandLine:("\"\{A\-Z\}\:\" \/grant " AND "\:F \/T \/C \/Q")

To search for the execution of the command, "powershell -command \"Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}\"”:

Type:("Process Creation") AND Behavior:("Scripting") AND Target.Process.File.Name:("powershell.exe") AND Target.Process.CommandLine:("\-command \"Get\-WmiObject Win32_Shadowcopy | ForEach\-Object \{$_.Delete\(\);\}\"")

MITRE ATT&CK

TA0003 - Persistence

TA0005 - Defense Evasion

TA0040 - Impact

IOCs