Author: Anandeshwar Unnikrishnan
Editor: Bablu Kumar
Research indicates that while ransomware breach costs have declined slightly from USD 4.62 million to USD 4.54 million in 2021, ransomware is still responsible for 11% of breaches. The most targeted sectors (about 57%) are government, technology, healthcare, and academic institutions.
MedusaLocker is a ransomware family that appeared in September 2019 and was employed rapidly for attacks on companies from all over the world. It was particularly aimed at hospitals and other organizations in the healthcare industry.
This technical report is inspired by the CISA Cybersecurity Advisory and provides an in-depth analysis of the malware and its privilege escalation, anti-detection, network scanning, encryption techniques, etc.
- MedusaLocker predominantly relies on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks.
- The victim’s data is encrypted and a ransom note with communication instructions is placed in every folder containing an encrypted file.
- Victims are provided with a specific Bitcoin wallet address for ransom.
- Medusa possibly operates as a Ransomware-as-a-Service (RaaS) model.
- The ransomware performs UAC bypass (privilege escalation) to run the malware with administrative rights.
- The user data is locked using AES and the AES key is protected with RSA encryption.
- A scheduled task is created to run the locker every 15 minutes.
- The ransomware enumerates and terminates specific processes running on the target system. Some services are deleted to ensure smooth execution.
- A network reconnaissance can also be conducted via a ping scan to identify connected assets.
- The ransomware can lock files both on local and connected systems.
Also read the detailed report on Increased Cyber Attacks on the Global Healthcare Sector
Stage I – Pre-Encryption Operations
The MedusaLocker initiates its execution by retrieving the locale information of the victim such as the region and language set by the user.
A mutex is created to ensure that multiple instances of malware are not running on the compromised system.
After the mutex check, the malware proceeds to check its privilege escalation by obtaining a process token of the malware and checking if the token is elevated via the “TokenElevation Class” passed to advapi32.GetTokenInformation API. This way the malware can confirm if it is running with elevated privileges of an administrator shell.
If the malware is not running with elevated privileges, it performs a UAC elevation bypass via the CMSTPLUA COM interface. UAC (User Account Control) bypass mechanism is an overused and very common vector seen in ransomware to gain access to the resources with high integrity level, thus obtaining administrative privileges on the target system.
Also Read What Is Redeemer Ransomware and How Does It Spread: A Technical Analysis
After elevating the process, the malware proceeds to disable two features, EnableLUA and ConsentPromptBehaviorAdmin, responsible for notifying the user of any suspicious activity on the system via registry.
A new registry key “MDSLK” is created by the malware on the victim system. This is one of the clear indicators of MedusaLocker.
The MedusaLocker uses AES and RSA in its locking operation. The Advanced Encryption Standard (AES) is a symmetric block cipher implemented to encrypt sensitive data. RSA is a public key cryptosystem used for secure data transmission.
The user data is encrypted using AES and the AES key is protected by RSA encryption.
Initialization of cryptographic context for RSA by the malware
Initialization of cryptographic context for AES by the malware
MedusaLocker proceeds to copy the malware file to %APPDATA% of the user as svhost.exe. The AppData folder contains custom settings and other information that system applications need for their operation. It is a hidden folder that includes application settings, files, and data unique to different applications, along with all the data specific to the system user profile.
Then, by abusing the COM TaskScheduler class 0f87369f-a4e5-4cfc-bd3e-73e6154572dd, a scheduled job is created on the target system that executes the malware, in every 15 minutes.
The rclsid value helps in identifying the specific class targeted by the malware to achieve an objective. In this case, the ID value 0f87369f-a4e5-4cfc-bd3e-73e6154572dd confirms that the malware is accessing the task scheduler class implemented by C:\Windows\System32\taskschd.dll.
Device and Volume Enumeration
A volume or logical drive is a single accessible storage area with a single file system, usually resident on a single partition of a hard disk. Before the encryption process, the MedusaLocker enumerates (enumeration exposes potential security flaws) the local volumes and attached shares on the target system. On further investigating the code, the following APIs were found to be used to perform the enumeration:
The malware targets the SystemReserved partition by mounting it via SetVolumeMountPointW. During the locking phase, the data of the reserved partition gets encrypted to prevent data recovery.
Also read Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)
Service and Process Termination
After volume enumeration and mounting the reserved partition, the MedusaLocker terminates a list of processes and deletes system services. The table below contains a list of services targeted by Medusa.
|Services to be Terminated|
The malware opens each service in the list via the OpenServiceW API and monitors its state via QueryServiceStatusEx. If the state of the service is SERVICE_STOP_PENDING then the malware sleeps till a new state change happens.
Once a change in state occurs, Medusa retrieves and stops services (depending on the target service) by sending a SERVICE_CONTROL_STOP control signal.
After stopping the service, the malware deletes this service as well.
The locker retrieves a pointer to the structure that holds active processes on the system and walks through the list via CreateToolhelp32Snapshot, Process32FirstW, and Process32NextW APIs. If a match is found, the process is terminated via the TerminateProcess API.
The table below contains the list of running processes targeted by Medusa.
|Running Processes Being Targeted|
Recovery and Backup Removal
Once all the processes and services have been enumerated, the malware proceeds to remove the backups and neutralizes the recovery mechanisms before encrypting data.
To execute the above string commands, a new process is created and the string is passed as a parameter.
The malware then proceeds to empty the recycle bin.
The MedusaLocker enables the EnableLinkedConnections feature in the registry to make the remote shares accessible from the elevated administrative process session. This feature plays an important role in a networked environment, especially when the user wants to access a network resource from an elevated process.
The ransomware is capable of crafting ICMP packets and sending them across the network to scan for connected instances and to enumerate attached shares.
Also read Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 2)
After performing the scan, the MedusaLocker uses NetShareEnum API to gather information about the resources shared by the remote server in the network. This shows the malware’s capability to infect resources connected to the compromised network.
Stage II – Encryption and Locking
The locker has separate control flows for locking user data on a local system and network-connected hosts. The encryption routine (sub_5258E0) used in both cases is the same.
The encryption routine is implemented as follows:
- The ransomware creates a new file to save the encrypted data via CreateFileW API.
- The sub_535840 performs the encryption and writes data into the newly created file.
- The MoveFileExW API is used to rename the file and add “.marlock11” extension.
Indicators of Compromise (IoCs)