As it stands, ransomware is the cybersecurity problem that refuses to go away. What started as malware specifically targeting home users is now targeting government departments and businesses. Even Fortune 500 companies are not immune to infection, despite the fact that they often have dedicated security personnel. There are many reasons for the continued increase in ransomware and the deeper you dig, the more complex the picture becomes. However, studying various strains of ransomware reveals how ransomware infections can be fought. Advice is unfortunately not always followed, but that’s quite a topic of discussion beyond the scope of this article.
One of those strains, MedusaLocker, is relatively new to the ransomware scene and reveals more about how hackers seek to infect devices and encrypt data. Medusa, the snake-headed monster from Greek mythology, is an apt symbol for ransomware, not to mention ransomware named after the Gorgon slain by Perseus. But killing this ransomware stain seems just as difficult as Perseus’ struggles.
The origin story of MedusaLocker
Discovered at the end of September 2019 by MalwareHunterTeam, MedusaLocker has started infecting users around the world. In just over 30 days since its discovery, MedusaLocker has been subjected on average nearly 10 times per day, according to the ID Ransomware site. It may not sound staggering in terms of the numbers, but for a new strain of ransomware, it has made enough noise to be noticed. After a month of activity, news articles and government warnings began to inform users of the new threat.
Since the discovery of MedusaLocker, it has managed to go under the radar of public opinion, to a large extent. The last time a mention of significance regarding the ransomware was made was in February 2020. The mention of the ransomware was namely a Twitter message detailing a new variant. Apart from that, the ransomware is shrouded in mystery. This may be in part because the media is paying more attention to Ryuk, Sodinokibi, DoppelPaymer and Maze, who have all either published or threatened to disclose stolen victims’ data if the ransom is not paid. These other variants also tend to monopolize the spotlight by successfully targeting and infecting so-called “big game” targets, i.e. large corporations or government departments that are more likely to pay exorbitant amounts of money per. compared to much more expensive alternatives.
What do we know?
While much of MedusaLocker and those behind the ransomware remains a mystery, analysis of the code and how the malware works has revealed a lot. Researchers still don’t know exactly how MedusaLocker is delivered and installed; However, some believe the evidence strongly points to malicious payloads being delivered through spam emails, with the malware directly attached to the email. While it’s not clear exactly how MedusaLocker is delivered and launched, a lot is known about how the ransomware does what it is designed to do, which is to encrypt data.
While running, MedusaLocker does something that is not seen with many other ransomware strains: the ransomware will take steps to ensure that it is able to infect not only the targeted machine, but also remote and adjacent hosts. The process it follows allows it not only to infect mapped network drives, but also to encrypt data on them. To better carry out this task, MedusaLocker goes so far as to restart the LanmanWorkstation service, which is responsible for creating and maintaining network connections via the SMB protocol. Restarting the service forces any configuration changes that MedusaLocker imposes on the service not only on the infected machine but also on the network.
Once this is done, MedusaLocker attempts to prevent detection by various antivirus products. It does this by terminating process links to security products, including G Data, Qihoo 360, and Symantec. Additionally, the ransomware seeks to prevent applications typically used by security researchers to analyze and reverse engineer malware such as MS SQL, Apache Tomcat, and VMware. But security applications and those used for reverse engineering aren’t MedusaLocker’s only targets; the malware also attacks applications associated with accounting software. Intuit QuickBooks does not allow editing of files already opened by the package for security reasons; However, by ending these processes, MedusaLocker also hopes to be able to encrypt these files, which could be of vital importance to the day-to-day operations of a business.
MedusaLocker Encryption Routine
Like many modern ransomware strains, MedusaLocker uses AES 256 to encrypt data. One of the reasons this algorithm is used is its incredibly high level of encryption protection afforded by including a 256 key. To decrypt such an encryption key, a person would have to try more combinations than there are. atoms in the observable universe. This makes AES 256 virtually impossible to crack by brute force methods. There are other methods of breaking the encryption key through secondary channel attacks; However, for those who are typically infected with ransomware, performing such an operation is far beyond their pay level and ability.
MedusaLocker takes it a step further by encrypting the AES 256 key using an RSA-2048 key. Unlike other strains of ransomware that target specific file extensions for encryption, MedusaLocker does almost the exact opposite: it whitelists hard-coded file extensions during the encryption process, but ignores files with l ‘.encrypted extension so that already encrypted files are ignored. To do this, the malware must run at regular intervals repeatedly to search for new files to be encrypted. Since its discovery, MedusaLocker has added the following extensions to encrypted files: .newlock, .skynet, .nlocker, .bomber, .breakingbad, .locker16.
As mentioned above, MedusaLocker runs at set intervals while encrypting data. Between searches for other files to encrypt, the malware will go to sleep for 60 seconds, then start another search. In addition, to remain persistent on the infected machine, the malware creates a scheduled task every 10 to 30 minutes. This ability to ignore already encrypted files makes the process much more efficient than previous strains of ransomware. This ability to ignore certain file extensions is extended to ignore critical files and drive locations that would basically prevent malware operators from securing a paycheck.
What we do know about the ransom is how the note is delivered to the infected machine. In each file whose data is encrypted, the ransomware will create a ransom note named HOW_TO_RECOVER_DATA.html or Readme.html which contains two email addresses to contact for payment instructions. The note does not contain any instruction on the amount to be paid. Perhaps this is an indicator that operators apply variable pricing depending on the victim. This may be further proof that MedusaLocker is part of the large family of ransomware strains targeting large organizations.
Screenshot of MedusaLocker ransom note:
To better detect if it is infected with MedusaLocker, the text of the ransom notes has been provided below (including bad grammar and spelling errors),
“All your data is encrypted!
Your files are encrypted and currently unavailable.
You can check it: all files on your computer have a new extension.
By the way, everything is possible to recover (restore), but you need to buy a single decryptor.
Otherwise, you will never be able to return your data.
To buy a decryptor contact us by email:
If you don’t get a response within 24 hours, contact us through our alternate emails:
It’s just a deal. If we don’t do our job and our responsibilities, no one will cooperate with us.
To check the possibility of recovering your files, we can decrypt 1 file for free.
Attach 1 file to the letter (no more than 10 MB). Indicate your identity document on the letter:
– Attempts to edit files by yourself will result in data loss.
– Our e-mail can be blocked in time. Write now, loss of contact with us will result in loss of data.
– Using third party software to restore your data or antivirus solutions will result in data loss.
– Other users’ decryptors are unique and will not be suitable for your files and their use will result in data loss.
– If you do not cooperate with our service – for us it does not matter. But you will waste your time and data because we just have the private key.
At the time of writing, there does not appear to be a decryptor that is readily available to the public. The bad news doesn’t end there: MedusaLocker aggressively targets local backups and Shadow Copies / VSSs, making manual data recovery without paying the ransom a daunting task. MedusaLocker not only targets local backups, but will also disable recovery options through a boot process.
Look into a crystal ball
Considering the amount of information we have about MedusaLocker and the huge gaps in our knowledge, guessing the future of ransomware is as easy as looking into a crystal ball and predicting the future. Despite this, we know that MedusaLocker has some trends that we see in other strains of ransomware, namely variable pricing and aggressive targeting of backups or manual recovery methods. This puts MedusaLocker at the top of the threat list despite its limited distribution.
With ransomware continually flying under the radar, it could mean that MedusaLocker operators are here for the long haul. Not seeking to dethrone major players, including Ryuk and Sodinokibi, MedusaLocker could be looking to slowly ramp up the number of infections and generate ransom payments over time rather than quickly seeking massive paychecks.
– Tomas Meskauskas