A security researcher group called MalwareHunterTeam detected a new strain of ransomware dubbed “MedusaLocker.” Although many infections of the MedusaLocker ransomware have been detected in different parts of the world, the distribution method is not yet known. MalwareHunterTeam originally saw the ransomware spreading towards the end of September 2019 and began studying it. What they discovered was that various startup routines are performed upon install to ready the target computer for encryption. The registry value “EnableLinkedConnections” under the registry key HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem is created and the registry value is set to 1. The creators designed it this way to ensure mapped drives can be accessed in the instance of a UAC launched process. The Lanman Workstation service is restarted to check that Windows networking is operating and once again ensure that mapped network drives can be accessed. The next steps for the ransomware are to terminate over 50 processes. This is done in hopes that security programs will be sidelined, and all files are closed, along with wiping Shadow Volume copies, stripping back-ups and deactivating the Windows automatic startup repair. Once the encryption is completed, the ransomware will stay dormant for some time before it continues to scan for more files to encrypt. MedusaLocker copies itself to %UserProfile%AppDataRoamingsvchostt.exe and a scheduled task is added to re-launch programs every 30 minutes. For every folder that has an encrypted file, a ransom note named HOW_TO_RECOVER_DATA.html or Readme.html is included and contains two email addresses as well as payment instructions. It is unknown at this time how much the decryptor costs or if one is even provided. In other news, the MalwareHunterTeam has also found another ransomware strain known as “FuxSocy” and reported on it today (10/24). Binary Defense analysts are actively researching both strains of ransomware to help protect our clients.
Analyst Notes
Secure back-ups of important files should always be kept in case of a ransomware attack. An incident response plan should be in place to help recovery processes if and when systems are compromised. Endpoint detection systems are also a great way to protect companies and individuals from further damage. Binary Defense Vision is a great option when considering defense-in-depth strategies to combat ransomware. Our system will detect ransomware or attacker behaviors early to ensure that the infection from one computer is not spread to the rest of the network.
