MedusaLocker ransomware was first identified in 2019, and several variants have continued to emerge in recent years. The MedusaLocker ransomware appears to operate as a Ransomware-as-a-Service (RaaS), where other bad actors can use to deploy on their victims. Different variants encrypt files and rename them with different extension names, such as “.1btc”,“.marlock02” ,“.readinstructions”,“.bec” ,“.mylock”,“.jpz.nz”, “.bomber”,”.boroff”,“.breakingbad”, etc. MedusaLocker also uses different filenames for its ransom notes based on the different variant.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury and the Financial Crimes Enforcement Network (FinCEN) issued an alert regarding MedusaLocker ransomware given a recent spike in activity . In this article, we will take a closer look into how MedusaLocker executes, modifies the registry for persistence, executes commands to prevent file recovery, terminates services and selects files to encrypt. We will also look in detail at what security events are generated if this ransomware is executed in a FortiEDR protected environment.
The MedusaLocker sample analyzed in this article is a 32-bit Windows executable. On execution, the sample begins encrypting files immediately. As part of the encryption process the MedusaLocker ransomware drops a copy of the ransom note to every accessible folder.
Initial execution reveals that the sample checks if it is running in a higher privileged mode, such as admin level. If not, it will spawn another process of itself with a higher privilege as Administrator, using ShellExecuteExW API with “runas” parameter, as shown in Figure 1.
The “runas” parameter launches an application as Administrator. User Account Control (UAC) will prompt the user for consent to run the application elevated or enter the credentials of an administrator account used to run the application.
Figure 1. Code snapshot that shows the use of ShellExecuteExW API with the ‘runas’ parameter to execute the malware in Administrator mode
FortiEDR detects attempts to execute the MedusaLocker binary, preventing it from successfully executing. As part of FortiEDR’s pre-execution policy, the MedusaLocker binary was analyzed by a number of online sandboxes that form part of Fortinet Cloud Services, and was classified it as malicious, as shown in Figure 2 below.
Figure 2. FortiEDR detection of the file execution attempt of the malicious MedusaLocker executable (in this case with filename ‘Sample01.exe’.
Once MedusaLocker restarts in Administrator mode, it maps the network drives connected to infected endpoints by enabling EnableLinkedConnections registry entry. To allow the EnableLinkedConnections registry entry to take effect, MedusaLocker stops and restarts the LanmanWorkstation service. The main purpose of enabling EnableLinkedConnections registry entry is to make sure that the mapped network drives are available for the ransomware to encrypt the files found in the mapped network drives.
Figure 3 shows the snapshot of the code that enables the EnableLinkedConnections registry entry, and the code that restarts the LanmanWorkstation service.
Figure 3. Code snapshot to map the drives connected to the infected machine
MedusaLocker creates and sets the Autorun registry key, "Software\\Microsoft\\Windows\\CurrentVersion\\Run”, pointing to the malware executable. This ensures the execution of the malware even after reboot (T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder), as shown in Figure 4.
Figure 4. Code snapshot that sets the Autorun registry key
FortiEDR detects and blocks the creation of Autorun registry key created by MedusaLocker, as shown in Figure 5.
Figure 5. FortiEDR protects the endpoint by blocking the creation of Autorun registry
As part of its execution, MedusaLocker executes a series of commands via CreateProcessW API to prevent recoveries of essential files by deleting shadow copies, deleting backup files, and controlling the boot status policy by ignoring errors if there is a failed boot, failed shutdown, or failed checkpoint. These commands are all executed as child processes of the MedusaLocker process and provide excellent detection opportunities, especially given none of the commands are obfuscated. The executed commands are all Windows LOLBins commonly employed by ransomware samples to hamper recovery efforts, see Table 1 for details of each of the commands.
Commands | Descriptions |
"net stop VSS & sc config VSS start= disabled" | Stops the Volume Shadow Copy service and disables VSS from starting automatically |
"sc config VSS start= Demand & net start VSS" | Set Volume Shadow Copy to start manually |
"wmic.exe SHADOWCOPY delete /nointeractive" | Deletes Volume Shadow Copy |
"vssadmin.exe Delete Shadows /All /Quiet" | Deletes Volume Shadow Copy |
"vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=401MB" | Resize the shadow copy storage to a maximum of 401MB for drive c:. Resizing the shadow storage may cause the shadow copies to disappear. |
"vssadmin.exe Resize ShadowStorage /for=c: /on=c: /maxsize=unbounded" | Resize the shadow copy storage with no maximum size for drive c:. Resizing the shadow storage may cause the shadow copies to disappear. |
"vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=401MB" | Resize the shadow copy storage to a maximum of 401MB for drive d: . Resizing the shadow storage may cause the shadow copies to disappear. |
"vssadmin.exe Resize ShadowStorage /for=d: /on=d: /maxsize=unbounded" | Resize the shadow copy storage with no maximum size for drive d:. Resizing the shadow storage may cause the shadow copies to disappear. |
"vssadmin.exe Resize ShadowStorage /for=e: /on=e: /maxsize=401MB" | Resize the shadow copy storage to a maximum of 401MB for drive e:. Resizing the shadow storage may cause the shadow copies to disappear. |
"vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=401MB" | Resize the shadow copy storage to a maximum of 401MB for drive f:. Resizing the shadow storage may cause the shadow copies to disappear. |
"vssadmin.exe Resize ShadowStorage /for=f: /on=f: /maxsize=unbounded" | Resize the shadow copy storage with no maximum size for drive f:. Resizing the shadow storage may cause the shadow copies to disappear. |
"vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=401MB" | Resize the shadow copy storage to a maximum of 401MB for drive g:. Resizing the shadow storage may cause the shadow copies to disappear. |
"vssadmin.exe Resize ShadowStorage /for=g: /on=g: /maxsize=unbounded" | Resize the shadow copy storage with no maximum size for drive g:. Resizing the shadow storage may cause the shadow copies to disappear. |
"vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=401MB" | Resize the shadow copy storage to a maximum of 401MB for drive h:. Resizing the shadow storage may cause the shadow copies to disappear. |
"vssadmin.exe Resize ShadowStorage /for=h: /on=h: /maxsize=unbounded" | Resize the shadow copy storage with no maximum size for drive h:. Resizing the shadow storage may cause the shadow copies to disappear. |
"bcdedit.exe /set {default} recoveryenabled No" | Disables Automatic Startup Repair |
"bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures" | Sets the bootstatuspolicy to ignore errors during reboots |
"wbadmin.exe DELETE CATALOG -quiet" | Deletes global catalog. Global catalog contains information about backups and backup destinations. |
"icacls.exe \"{A-Z}:\" /grant {Username}:F /T /C /Q" | Grants full control access to folders and files for {Username} |
"del /s /f /q c:\\*.VHD c:\\*.bac c:\\*.bak c:\\*.wbcat c:\\*.bkf c:\\Backup*.* c:\\backup*.* c:\\*.set c:\\*.win c:\\*.dsk" | Deletes all files in drive c: with extension names VHD, BAC, BAK, WBCAT, BKF, Set, WIN, and DSK. Also deletes files with names starting with Backup or backup. |
"del /s /f /q d:\\*.VHD d:\\*.bac d:\\*.bak d:\\*.wbcat d:\\*.bkf d:\\Backup*.* d:\\backup*.* d:\\*.set d:\\*.win d:\\*.dsk" | Deletes all files in drive d: with extension names VHD, BAC, BAK, WBCAT, BKF, Set, WIN, and DSK. Also deletes files with names starting with Backup or backup. |
"del /s /f /q e:\\*.VHD e:\\*.bac e:\\*.bak e:\\*.wbcat e:\\*.bkf e:\\Backup*.* e:\\backup*.* e:\\*.set e:\\*.win e:\\*.dsk" | Deletes all files in drive e: with extension names VHD, BAC, BAK, WBCAT, BKF, Set, WIN, and DSK. Also deletes files with names starting with Backup or backup. |
"del /s /f /q f:\\*.VHD f:\\*.bac f:\\*.bak f:\\*.wbcat f:\\*.bkf f:\\Backup*.* f:\\backup*.* f:\\*.set f:\\*.win f:\\*.dsk" | Deletes all files in drive f: with extension names VHD, BAC, BAK, WBCAT, BKF, Set, WIN, and DSK. Also deletes files with names starting with Backup or backup. |
"del /s /f /q g:\\*.VHD g:\\*.bac g:\\*.bak g:\\*.wbcat g:\\*.bkf g:\\Backup*.* g:\\backup*.* g:\\*.set g:\\*.win g:\\*.dsk" | Deletes all files in drive g: with extension names VHD, BAC, BAK, WBCAT, BKF, Set, WIN, and DSK. Also deletes files with names starting with Backup or backup. |
"del /s /f /q h:\\*.VHD h:\\*.bac h:\\*.bak h:\\*.wbcat h:\\*.bkf h:\\Backup*.* h:\\backup*.* h:\\*.set h:\\*.win h:\\*.dsk" | Deletes all files in drive h: with extension names VHD, BAC, BAK, WBCAT, BKF, Set, WIN, and DSK. Also deletes files with names starting with Backup or backup. |
"del %0" | When executed within a batch file, del %0 deletes the same batch file |
"wbadmin.exe DELETE SYSTEMSTATEBACKUP" | Delete system state backup. System state backup is a backup of operating system files. |
"wbadmin.exe DELETE SYSTEMSTATEBACKUP -deleteoldest" | Delete system state backup. System state backup is a backup of operating system files. |
"powershell -command \"Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}\"" | Deletes Volume Shadow Copy |
Table 1. List of commands used by MedusaLocker to prevent recoveries of important files
Figure 6 shows the code that is used to execute the commands listed in Table 1.
Figure 6. Code snapshot that executes the command from table 1
MedusaLocker also empties the recycle bin to ensure that even deleted files will not be recovered, using SHEmptyRecycleBinW API, as shown in Figure 7.
Figure 7. Code snapshot that empties the recycle bin
FortiEDR detects and blocks access to the Volume Shadow Copy services of the endpoint, as shown in Figure 8. Modification of the Volume Shadow Copy service is a common part of ransomware operations, as is manipulating or deleting existing copies to inhibit information recovery.
Figure 8. FortiEDR detects and blocks access to the Volume Shadow Copy service
MedusaLocker terminates services that belong to accounting software, hyper-v, database software, and other applications. It first checks if the service is active and running by using OpenServiceW API, and terminates the service by notifying the service to stop using SERVICE_CONTROL_STOP code to ControlService API, as shown in figure 9. The main reason MedusaLocker terminates the said services is to be able to encrypt the data files associated with these services. Table 2 shows the list of services that ransomware terminates.
Figure 9. Code snapshot that terminates service
Culserver | ccEvtMgr | vmicguestinterface | MSSQLSERVER | SQLAgent |
Intuit.QuickBooks.FCS | msmdsrv | vmicheartbeat | SQLBrowser | MSSQLServerOLAPService |
QBCFMonitorService | sqladhlp | vmicrdv | SQLTELEMETRY | MsDtsServer100 |
QBIDPService | sqlbrowser | storflt | MsDtsServer130 | ReportServer |
RTVscan | sqlservr | vmictimesync | SSISTELEMETRY130 | TMBMServer |
SQLADHLP | sqlwriter | vmicvss | SQLWriter | postgresql-x64-9.4 |
SavRoam | vmickvpexchange | MSSQLFDLauncher | MSSQL | UniFi |
vmms | wrapper |
Table 2. List of services to be terminated
After removing the ability for system owners to be able to easily restore the infected system from shadow copies or backups and terminating a list of services, MedusaLocker drops a copy of the ransom note to every accessible folder starting at the Desktop folder. Other variants of this ransomware only drop a copy of the ransom note to a folder that has encrypted files. This particular variant drops a ransom note regardless if the folder has encrypted files or not. See Figure 10 and 11.
Figure 10. Code snapshot that drops the ransom note
Figure 11. MedusaLocker ransom note content
MedusaLocker ransomware avoids infecting files in “Windows” folder. It also makes sure that it is not encrypting any file that has already been encrypted (files with extension name “.[thetan@nerdmail.co].ner” ), it avoids infecting the current MedusaLocker executable file, and it avoids encrypting the ransom note file ("!!!HOW_TO_DECRYPT!!!.txt").
The ransomware has a whitelist of extension names to avoid encrypting the associated files, as shown in Table 3. The extension name is case-sensitive, so it will still encrypt the file even if the extension name is in the whitelist but in a different case. An example, MedusaLocker will avoid files with extension name “.dat”, but will still encrypt files with extension name “.DAT”, “.Dat”, or “.daT”.
Once a file has been encrypted, MedusaLocker will rename it with an extension name “[884ae5eafd].[thetan@nerdmail.co].ner”. See Figure 12.
dat | ico | mod | ocx | shs |
diagcab | icns | mht | prf | spl |
dll | ini | mpa | ReadInstructions | sys |
drv | inprocess | msc | rom | [thetan@nerdmailco].ner |
exe | idx | msp | rtp | theme |
icl | lnk | msu | scr | themepack |
Table 3. Whitelist of extension names
Figure 12. Encrypted files and the ransom note
MedusaLocker changes many of its atomic indicators between infections meaning there are limited indicators specific to MedusaLocker compared to other ransomware variants. Because of this, majority of the Threat Hunting rules below are more generic in nature which allows them to be used to detect anomalous behaviour associated with common ransomware TTPs.
To search for persistence using Autorun registry key:
|
To search for the deletion of shadowcopy("wmic.exe SHADOWCOPY delete /nointeractive"):
|
To search for the execution of the command, "net stop VSS & sc config VSS start= disabled":
|
To search for the execution of the command, "sc config VSS start= Demand & net start VSS":
|
To search for the execution of the command, "icacls.exe \"{A-Z}:\" /grant {Username}:F /T /C /Q":
|
To search for the execution of the command, "powershell -command \"Get-WmiObject Win32_Shadowcopy | ForEach-Object {$_.Delete();}\"”:
|
Technique ID |
Technique Description |
Observed Activity |
T1547.001 |
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
MedusaLocker ransomware creates the Autorun key, "Software\\Microsoft\\Windows\\CurrentVersion\\Run”, pointing to the malware executable. |
Technique ID |
Technique Description |
Observed Activity |
T1222.001 |
File and Directory Permissions Modification: Windows File and Directory Permissions Modification |
MedusaLocker ransomware uses icacls.exe to grant a specified user full access to folder and files using the command, "icacls.exe \"{A-Z}:\" /grant {Username}:F /T /C /Q". |
Technique ID |
Technique Description |
Observed Activity |
T1490 |
Inhibit System Recovery |
MedusaLocker ransomware tries to inihibit system recovery by executing commands listed in Table 1, such as "vssadmin.exe Delete Shadows /All /Quiet". |
Technique ID |
Technique Description |
Observed Activity |
T1486 |
Data Encrypted for Impact |
_Similar to common ransomware, MedusaLocker selects and encrypts files in every accessible folder._ |
Technique ID |
Technique Description |
Observed Activity |
T1489 |
Service Stop |
MedusaLocker ransomware disables services to allow the encryption process to more effectively encrypt key files on affected endpoints. |
Indicator Description |
Indicator |
Indicator Type |
Associated Tactic |
Notes |
MedusaLocker ransomware |
91637660e9635e46610663da5636dbcb575f39d6 |
SHA1 Hash |
Impact |
Medusa Locker executable |
MedusaLocker ransomware |
41cc0a973883bad0305301d571fc7eb2999a29c5 |
SHA1 Hash |
Impact |
Medusa Locker executable |
MedusaLocker ransomware |
5fff4c7c46e9d43682b3f905b67e01a666ca042d |
SHA1 Hash |
Impact |
Medusa Locker executable |
MedusaLocker ransomware |
c0501e264531f29854bdaa872eb12c30b5875200 |
SHA1 Hash |
Impact |
Medusa Locker executable |
MedusaLocker ransomware |
24ceba1e2951cde8e41939da21c6ba3030fc531d |
SHA1 Hash |
Impact |
Medusa Locker executable |
MedusaLocker ransomware |
F7543bf01f228d70008ade016dbeeb4b3ec0b164 |
SHA1 Hash |
Impact |
Medusa Locker executable |
MedusaLocker ransomware |
a35dd292647db3cb7bf60449732fc5f12162f39e |
SHA1 Hash |
Impact |
Medusa Locker executable |
MedusaLocker ransomware |
5681488646108059f85318ced1069b6e27802795 |
SHA1 Hash |
Impact |
Medusa Locker executable |
MedusaLocker ransomware |
01868ae82c53fa5f2b4bb0378695b8ae7af9188a |
SHA1 Hash |
Impact |
Medusa Locker executable |
MedusaLocker ransomware |
35c3ee2d91176aef5c6a76afcefcfb573c664384 |
SHA1 Hash |
Impact |
Medusa Locker executable |
MedusaLocker ransomware |
334063cb91e86a1f8efd20f3a74a1e2e8eacafc6 |
SHA1 Hash |
Impact |
Medusa Locker executable |
MedusaLocker ransomware |
E4f65eba10cc0dc840549dc3ec5212e015564b1b |
SHA1 Hash |
Impact |
Medusa Locker executable |
MedusaLocker ransomware |
Fa88ccadb24a0731f0b88baa234d11efecf25d5c |
SHA1 Hash |
Impact |
Medusa Locker executable |
MedusaLocker ransomware |
B545f6e4b8336377edef9c900f5dbb48ff3fb0cb |
SHA1 Hash |
Impact |
Medusa Locker executable |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.