Malware Intelligence
mins read

Technical Analysis of MedusaLocker Ransomware

Technical Analysis of MedusaLocker Ransomware

September 29, 2022
Green Alert
Last Update posted on
February 3, 2024
Beyond Monitoring: Predictive Digital Risk Protection with CloudSEK

Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!

Schedule a Demo
Table of Contents
Author(s)
No items found.

Author: Anandeshwar Unnikrishnan
Editor: Bablu Kumar

Research indicates that while ransomware breach costs have declined slightly from USD 4.62 million to USD 4.54 million in 2021, ransomware is still responsible for 11% of breaches. The most targeted sectors (about 57%) are government, technology, healthcare, and academic institutions.

MedusaLocker is a ransomware family that appeared in September 2019 and was employed rapidly for attacks on companies from all over the world. It was particularly aimed at hospitals and other organizations in the healthcare industry.

This technical report is inspired by the CISA Cybersecurity Advisory and provides an in-depth analysis of the malware and its privilege escalation, anti-detection, network scanning, encryption techniques, etc.

Modus Operandi

  • MedusaLocker predominantly relies on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks.
  • The victim’s data is encrypted and a ransom note with communication instructions is placed in every folder containing an encrypted file.
  • Victims are provided with a specific Bitcoin wallet address for ransom.
  • Medusa possibly operates as a Ransomware-as-a-Service (RaaS) model.

Technical Summary

  • The ransomware performs UAC bypass (privilege escalation) to run the malware with administrative rights.
  • The user data is locked using AES and the AES key is protected with RSA encryption.
  • A scheduled task is created to run the locker every 15 minutes.
  • The ransomware enumerates and terminates specific processes running on the target system. Some services are deleted to ensure smooth execution.
  • A network reconnaissance can also be conducted via a ping scan to identify connected assets.
  • The ransomware can lock files both on local and connected systems.

Also read the detailed report on Increased Cyber Attacks on the Global Healthcare Sector

Technical Analysis

Stage I – Pre-Encryption Operations

The MedusaLocker initiates its execution by retrieving the locale information of the victim such as the region and language set by the user.

Mutex Creation

A mutex is created to ensure that multiple instances of malware are not running on the compromised system.

Process of mutex creation
Process of mutex creation

 

After the mutex check, the malware proceeds to check its privilege escalation by obtaining a process token of the malware and checking if the token is elevated via the “TokenElevation Class” passed to advapi32.GetTokenInformation API. This way the malware can confirm if it is running with elevated privileges of an administrator shell.

Privilege Escalation

Preparing for privilege escalation
Preparing for privilege escalation

 

If the malware is not running with elevated privileges, it performs a UAC elevation bypass via the CMSTPLUA COM interface. UAC (User Account Control) bypass mechanism is an overused and very common vector seen in ransomware to gain access to the resources with high integrity level, thus obtaining administrative privileges on the target system.

Also Read What Is Redeemer Ransomware and How Does It Spread: A Technical Analysis

After elevating the process, the malware proceeds to disable two features, EnableLUA and ConsentPromptBehaviorAdmin, responsible for notifying the user of any suspicious activity on the system via registry.

Disabling the two features via registry
Disabling the two features via registry

 

A new registry key “MDSLK” is created by the malware on the victim system. This is one of the clear indicators of MedusaLocker.

Creation of new registry key “MDSLK”
Creation of new registry key “MDSLK”

 

Cryptographic Initialization

The MedusaLocker uses AES and RSA in its locking operation. The Advanced Encryption Standard (AES) is a symmetric block cipher implemented to encrypt sensitive data. RSA is a public key cryptosystem used for secure data transmission.

The user data is encrypted using AES and the AES key is protected by RSA encryption.

Initialization of cryptographic context for RSA by the malware

Initialization of cryptographic context for AES by the malware

Persistence

MedusaLocker proceeds to copy the malware file to %APPDATA% of the user as svhost.exe. The AppData folder contains custom settings and other information that system applications need for their operation. It is a hidden folder that includes application settings, files, and data unique to different applications, along with all the data specific to the system user profile.

Then, by abusing the COM TaskScheduler class 0f87369f-a4e5-4cfc-bd3e-73e6154572dd, a scheduled job is created on the target system that executes the malware, in every 15 minutes.

Copying malware to the APPDATA folder and creating a scheduled job
Copying malware to the APPDATA folder and creating a scheduled job

 

The rclsid value helps in identifying the specific class targeted by the malware to achieve an objective. In this case, the ID value 0f87369f-a4e5-4cfc-bd3e-73e6154572dd confirms that the malware is accessing the task scheduler class implemented by C:\Windows\System32\taskschd.dll.

Malware targeting the task scheduler class
Malware targeting the task scheduler class

 

Device and Volume Enumeration

A volume or logical drive is a single accessible storage area with a single file system, usually resident on a single partition of a hard disk. Before the encryption process, the MedusaLocker enumerates (enumeration exposes potential security flaws) the local volumes and attached shares on the target system. On further investigating the code, the following APIs were found to be used to perform the enumeration:

  • GetLogicalDrives
  • WNetGetConnectionW
  • FindFirstVolumeW
  • QueryDosDeviceW
  • FindNextVolumeW

The malware targets the SystemReserved partition by mounting it via SetVolumeMountPointW. During the locking phase, the data of the reserved partition gets encrypted to prevent data recovery.

Malware targeting the SystemReserved partition
Malware targeting the SystemReserved partition

Also read Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)

Service and Process Termination

After volume enumeration and mounting the reserved partition, the MedusaLocker terminates a list of processes and deletes system services. The table below contains a list of services targeted by Medusa.

Services to be Terminated
wrapper DefWatch ccEvtMgr ccSetMgr SavRoam
sqlservr sqlagent sqladhlp Culserver RTVscan
sqlbrowser SQLADHLP QBIDPService Intuit.QuickBooks.FCS QBCFMonitorService
sqlwriter msmdsrv SQLADHLP tomcat6 zhudongfangyu
vmware-usbarbitator64 vmware-converter dbsrv12 dbeng8

The malware opens each service in the list via the OpenServiceW API and monitors its state via QueryServiceStatusEx. If the state of the service is SERVICE_STOP_PENDING then the malware sleeps till a new state change happens.

Locker waits for a state change
Locker waits for a state change

 

Once a change in state occurs, Medusa retrieves and stops services (depending on the target service) by sending a SERVICE_CONTROL_STOP control signal.

Sending a SERVICE_CONTROL_STOP control signal
Sending a SERVICE_CONTROL_STOP control signal

 

After stopping the service, the malware deletes this service as well.

Locker deletes services after stopping it
Locker deletes services after stopping it

 

The locker retrieves a pointer to the structure that holds active processes on the system and walks through the list via CreateToolhelp32Snapshot, Process32FirstW, and Process32NextW APIs. If a match is found, the process is terminated via the TerminateProcess API.

Code for terminating processes
Code for terminating processes

 

The table below contains the list of running processes targeted by Medusa.

Running Processes Being Targeted
wxServer.exe wxServerView sqlservr.exe sqlmangr.exe RAgui.exe
supervise.exe Culture.exe RTVscan.exe Defwatch.exe sqlbrowser.exe
winword.exe QBW32.exe QBDBMgr.exe qbupdate.exe QBCFMonitorService.exe
axlbridge.exe QBIDPService.exe httpd.exe fdlauncher.exe MsDtSrvr.exe
tomcat6.exe java.exe 360se.exe 360doctor.exe wdswfsafe.exe
fdlauncher.exe fdhost.exe GDscan.exe ZhuDongFangYu.exe

Recovery and Backup Removal

Once all the processes and services have been enumerated, the malware proceeds to remove the backups and neutralizes the recovery mechanisms before encrypting data.

Preparing for backups removal and neutralizing recovery mechanisms
Preparing for backups removal and neutralizing recovery mechanisms

 

To execute the above string commands, a new process is created and the string is passed as a parameter.

Creation of a new process to execute the commands
Creation of a new process to execute the commands

 

The malware then proceeds to empty the recycle bin.

Malware clearing the recycle bin
Malware clearing the recycle bin

 

Network Scan

The MedusaLocker enables the EnableLinkedConnections feature in the registry to make the remote shares accessible from the elevated administrative process session. This feature plays an important role in a networked environment, especially when the user wants to access a network resource from an elevated process.

Locker preparing to make the remote shares accessible
Locker preparing to make the remote shares accessible

 

The ransomware is capable of crafting ICMP packets and sending them across the network to scan for connected instances and to enumerate attached shares.

Code for implementing the ICMP scan to enumerate the connected hosts in the network.
Code for implementing the ICMP scan to enumerate the connected hosts in the network.

 

Also read Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 2)

After performing the scan, the MedusaLocker uses NetShareEnum API to gather information about the resources shared by the remote server in the network. This shows the malware’s capability to infect resources connected to the compromised network.

Code for infecting resources connected to the compromised network
Code for infecting resources connected to the compromised network

 

Stage II – Encryption and Locking

The locker has separate control flows for locking user data on a local system and network-connected hosts. The encryption routine (sub_5258E0) used in both cases is the same.

Malware’s control flow for encryption and locking
Malware’s control flow for encryption and locking

 

The encryption routine is implemented as follows:

  • The ransomware creates a new file to save the encrypted data via CreateFileW API.
  • The sub_535840 performs the encryption and writes data into the newly created file.
  • The MoveFileExW API is used to rename the file and add “.marlock11” extension.
Code for the implementation of the encryption routine
Code for the implementation of the encryption routine

 

Indicators of Compromise (IoCs)

Executable Hashes
634d84758d8d922bbfb0ad3c904c38fc7989f11503877acf02ad5dad3775df7a
c41926a4e667a38bd712cd8fff2c555c51d7f719a949c9be8c1f74232100444b
98c9e56cba271bf7b32fc17d7966d067d9b549594f8dc60c941f93346e376c00
8939141fb565c044895627bbeb522d840d24899dec53545e4a925012dbf83230
ec2ec1c316045d5e2e43cc0f1df738e6367b520310a4b7a644717d3aebda43f4
6c51f28a6ab35c91e789a4b1a05032c87a3f03006019ba4997dc092ad1c8a625
cb12325d13acb03ad4f9977f426baf8b4688af04d4ffe23aa5f1bbd747a147c0
fbe10da8d483a0db6686b1f03f18b00dbc60c69fb9a9f4a941764c2c3426367c
f1c361bb3b649918bc5b3ad3fc5cbd1bbd7c585fbe2557410e267d161d3bb998
465ab4311a7db9f0bc10921cf6a0da7a746c4023dd78fdcec1c253eee69e5b9d
b15840fb0547fc774f371166adb89cd7a58647d4e379256a2f9806dd5a338627
99a72b56725196298391f3d52b8536b018aa8b60d97c443161e912430079ed30
19e31469f150f69bda363c8a3454113236620aa44155dbe845e7689522724b0b
c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4
58a0db1ae0d7d8c5cb5db5e5a24fd1088b8029a4e51c02e7b77d400c17bcb39a
66a13e8102f809e23e0ad0ba88ced5eecfa319797c9f709d090994a7143d858a
a3fe92224060ec183a25296999c18d4f86149649f1a701ac91b04d73e8678495
dbac4f2fffcb4e09aad772895647e8f161b1ac713592fe47c5e8207c85722f13

 

Author

Predict Cyber threats against your organization

Schedule a Demo
Related Posts
Blog Image
Emerging Threats
December 7, 2023

Exploring the Dark Web: Understanding Cybersecurity Threats and Safeguarding Strategies

Discover how to navigate and protect against Dark Web threats. Learn about cyber risks, real-time monitoring, and securing your digital presence.

Blog Image
Ransomware
November 4, 2023

Underground Marketplace Unveils New Ransomware Offering QBit with Advanced Encryption & Customization

On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.

Blog Image
Ransomware
September 8, 2023

Understanding Knight Ransomware: Advisory, Analysis

Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

CloudSEK XVigil

Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.

Learn more about XVigil
CloudSEK SVigil

Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.

Learn more about SVigil
CloudSEK SVigil

Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.

Learn more about BeVigil Ent
CloudSEK BeVigil

Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.

Learn more about BeVigil
Malware Intelligence

min read

Technical Analysis of MedusaLocker Ransomware

Technical Analysis of MedusaLocker Ransomware

Authors
Co-Authors
No items found.

Author: Anandeshwar Unnikrishnan
Editor: Bablu Kumar

Research indicates that while ransomware breach costs have declined slightly from USD 4.62 million to USD 4.54 million in 2021, ransomware is still responsible for 11% of breaches. The most targeted sectors (about 57%) are government, technology, healthcare, and academic institutions.

MedusaLocker is a ransomware family that appeared in September 2019 and was employed rapidly for attacks on companies from all over the world. It was particularly aimed at hospitals and other organizations in the healthcare industry.

This technical report is inspired by the CISA Cybersecurity Advisory and provides an in-depth analysis of the malware and its privilege escalation, anti-detection, network scanning, encryption techniques, etc.

Modus Operandi

  • MedusaLocker predominantly relies on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks.
  • The victim’s data is encrypted and a ransom note with communication instructions is placed in every folder containing an encrypted file.
  • Victims are provided with a specific Bitcoin wallet address for ransom.
  • Medusa possibly operates as a Ransomware-as-a-Service (RaaS) model.

Technical Summary

  • The ransomware performs UAC bypass (privilege escalation) to run the malware with administrative rights.
  • The user data is locked using AES and the AES key is protected with RSA encryption.
  • A scheduled task is created to run the locker every 15 minutes.
  • The ransomware enumerates and terminates specific processes running on the target system. Some services are deleted to ensure smooth execution.
  • A network reconnaissance can also be conducted via a ping scan to identify connected assets.
  • The ransomware can lock files both on local and connected systems.

Also read the detailed report on Increased Cyber Attacks on the Global Healthcare Sector

Technical Analysis

Stage I – Pre-Encryption Operations

The MedusaLocker initiates its execution by retrieving the locale information of the victim such as the region and language set by the user.

Mutex Creation

A mutex is created to ensure that multiple instances of malware are not running on the compromised system.

Process of mutex creation
Process of mutex creation

 

After the mutex check, the malware proceeds to check its privilege escalation by obtaining a process token of the malware and checking if the token is elevated via the “TokenElevation Class” passed to advapi32.GetTokenInformation API. This way the malware can confirm if it is running with elevated privileges of an administrator shell.

Privilege Escalation

Preparing for privilege escalation
Preparing for privilege escalation

 

If the malware is not running with elevated privileges, it performs a UAC elevation bypass via the CMSTPLUA COM interface. UAC (User Account Control) bypass mechanism is an overused and very common vector seen in ransomware to gain access to the resources with high integrity level, thus obtaining administrative privileges on the target system.

Also Read What Is Redeemer Ransomware and How Does It Spread: A Technical Analysis

After elevating the process, the malware proceeds to disable two features, EnableLUA and ConsentPromptBehaviorAdmin, responsible for notifying the user of any suspicious activity on the system via registry.

Disabling the two features via registry
Disabling the two features via registry

 

A new registry key “MDSLK” is created by the malware on the victim system. This is one of the clear indicators of MedusaLocker.

Creation of new registry key “MDSLK”
Creation of new registry key “MDSLK”

 

Cryptographic Initialization

The MedusaLocker uses AES and RSA in its locking operation. The Advanced Encryption Standard (AES) is a symmetric block cipher implemented to encrypt sensitive data. RSA is a public key cryptosystem used for secure data transmission.

The user data is encrypted using AES and the AES key is protected by RSA encryption.

Initialization of cryptographic context for RSA by the malware

Initialization of cryptographic context for AES by the malware

Persistence

MedusaLocker proceeds to copy the malware file to %APPDATA% of the user as svhost.exe. The AppData folder contains custom settings and other information that system applications need for their operation. It is a hidden folder that includes application settings, files, and data unique to different applications, along with all the data specific to the system user profile.

Then, by abusing the COM TaskScheduler class 0f87369f-a4e5-4cfc-bd3e-73e6154572dd, a scheduled job is created on the target system that executes the malware, in every 15 minutes.

Copying malware to the APPDATA folder and creating a scheduled job
Copying malware to the APPDATA folder and creating a scheduled job

 

The rclsid value helps in identifying the specific class targeted by the malware to achieve an objective. In this case, the ID value 0f87369f-a4e5-4cfc-bd3e-73e6154572dd confirms that the malware is accessing the task scheduler class implemented by C:\Windows\System32\taskschd.dll.

Malware targeting the task scheduler class
Malware targeting the task scheduler class

 

Device and Volume Enumeration

A volume or logical drive is a single accessible storage area with a single file system, usually resident on a single partition of a hard disk. Before the encryption process, the MedusaLocker enumerates (enumeration exposes potential security flaws) the local volumes and attached shares on the target system. On further investigating the code, the following APIs were found to be used to perform the enumeration:

  • GetLogicalDrives
  • WNetGetConnectionW
  • FindFirstVolumeW
  • QueryDosDeviceW
  • FindNextVolumeW

The malware targets the SystemReserved partition by mounting it via SetVolumeMountPointW. During the locking phase, the data of the reserved partition gets encrypted to prevent data recovery.

Malware targeting the SystemReserved partition
Malware targeting the SystemReserved partition

Also read Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)

Service and Process Termination

After volume enumeration and mounting the reserved partition, the MedusaLocker terminates a list of processes and deletes system services. The table below contains a list of services targeted by Medusa.

Services to be Terminated
wrapper DefWatch ccEvtMgr ccSetMgr SavRoam
sqlservr sqlagent sqladhlp Culserver RTVscan
sqlbrowser SQLADHLP QBIDPService Intuit.QuickBooks.FCS QBCFMonitorService
sqlwriter msmdsrv SQLADHLP tomcat6 zhudongfangyu
vmware-usbarbitator64 vmware-converter dbsrv12 dbeng8

The malware opens each service in the list via the OpenServiceW API and monitors its state via QueryServiceStatusEx. If the state of the service is SERVICE_STOP_PENDING then the malware sleeps till a new state change happens.

Locker waits for a state change
Locker waits for a state change

 

Once a change in state occurs, Medusa retrieves and stops services (depending on the target service) by sending a SERVICE_CONTROL_STOP control signal.

Sending a SERVICE_CONTROL_STOP control signal
Sending a SERVICE_CONTROL_STOP control signal

 

After stopping the service, the malware deletes this service as well.

Locker deletes services after stopping it
Locker deletes services after stopping it

 

The locker retrieves a pointer to the structure that holds active processes on the system and walks through the list via CreateToolhelp32Snapshot, Process32FirstW, and Process32NextW APIs. If a match is found, the process is terminated via the TerminateProcess API.

Code for terminating processes
Code for terminating processes

 

The table below contains the list of running processes targeted by Medusa.

Running Processes Being Targeted
wxServer.exe wxServerView sqlservr.exe sqlmangr.exe RAgui.exe
supervise.exe Culture.exe RTVscan.exe Defwatch.exe sqlbrowser.exe
winword.exe QBW32.exe QBDBMgr.exe qbupdate.exe QBCFMonitorService.exe
axlbridge.exe QBIDPService.exe httpd.exe fdlauncher.exe MsDtSrvr.exe
tomcat6.exe java.exe 360se.exe 360doctor.exe wdswfsafe.exe
fdlauncher.exe fdhost.exe GDscan.exe ZhuDongFangYu.exe

Recovery and Backup Removal

Once all the processes and services have been enumerated, the malware proceeds to remove the backups and neutralizes the recovery mechanisms before encrypting data.

Preparing for backups removal and neutralizing recovery mechanisms
Preparing for backups removal and neutralizing recovery mechanisms

 

To execute the above string commands, a new process is created and the string is passed as a parameter.

Creation of a new process to execute the commands
Creation of a new process to execute the commands

 

The malware then proceeds to empty the recycle bin.

Malware clearing the recycle bin
Malware clearing the recycle bin

 

Network Scan

The MedusaLocker enables the EnableLinkedConnections feature in the registry to make the remote shares accessible from the elevated administrative process session. This feature plays an important role in a networked environment, especially when the user wants to access a network resource from an elevated process.

Locker preparing to make the remote shares accessible
Locker preparing to make the remote shares accessible

 

The ransomware is capable of crafting ICMP packets and sending them across the network to scan for connected instances and to enumerate attached shares.

Code for implementing the ICMP scan to enumerate the connected hosts in the network.
Code for implementing the ICMP scan to enumerate the connected hosts in the network.

 

Also read Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 2)

After performing the scan, the MedusaLocker uses NetShareEnum API to gather information about the resources shared by the remote server in the network. This shows the malware’s capability to infect resources connected to the compromised network.

Code for infecting resources connected to the compromised network
Code for infecting resources connected to the compromised network

 

Stage II – Encryption and Locking

The locker has separate control flows for locking user data on a local system and network-connected hosts. The encryption routine (sub_5258E0) used in both cases is the same.

Malware’s control flow for encryption and locking
Malware’s control flow for encryption and locking

 

The encryption routine is implemented as follows:

  • The ransomware creates a new file to save the encrypted data via CreateFileW API.
  • The sub_535840 performs the encryption and writes data into the newly created file.
  • The MoveFileExW API is used to rename the file and add “.marlock11” extension.
Code for the implementation of the encryption routine
Code for the implementation of the encryption routine

 

Indicators of Compromise (IoCs)

Executable Hashes
634d84758d8d922bbfb0ad3c904c38fc7989f11503877acf02ad5dad3775df7a
c41926a4e667a38bd712cd8fff2c555c51d7f719a949c9be8c1f74232100444b
98c9e56cba271bf7b32fc17d7966d067d9b549594f8dc60c941f93346e376c00
8939141fb565c044895627bbeb522d840d24899dec53545e4a925012dbf83230
ec2ec1c316045d5e2e43cc0f1df738e6367b520310a4b7a644717d3aebda43f4
6c51f28a6ab35c91e789a4b1a05032c87a3f03006019ba4997dc092ad1c8a625
cb12325d13acb03ad4f9977f426baf8b4688af04d4ffe23aa5f1bbd747a147c0
fbe10da8d483a0db6686b1f03f18b00dbc60c69fb9a9f4a941764c2c3426367c
f1c361bb3b649918bc5b3ad3fc5cbd1bbd7c585fbe2557410e267d161d3bb998
465ab4311a7db9f0bc10921cf6a0da7a746c4023dd78fdcec1c253eee69e5b9d
b15840fb0547fc774f371166adb89cd7a58647d4e379256a2f9806dd5a338627
99a72b56725196298391f3d52b8536b018aa8b60d97c443161e912430079ed30
19e31469f150f69bda363c8a3454113236620aa44155dbe845e7689522724b0b
c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4
58a0db1ae0d7d8c5cb5db5e5a24fd1088b8029a4e51c02e7b77d400c17bcb39a
66a13e8102f809e23e0ad0ba88ced5eecfa319797c9f709d090994a7143d858a
a3fe92224060ec183a25296999c18d4f86149649f1a701ac91b04d73e8678495
dbac4f2fffcb4e09aad772895647e8f161b1ac713592fe47c5e8207c85722f13