Explore DACTA's in-depth report on Medusa Ransomware, analyzing its mechanisms, impact, and mitigation strategies alongside insights into Advanced Persistent Threat groups.
Ransomware incidents have seen a marked increase since 2021. This uptick, notably highlighted by a recent security breach within the hospitality sector in the Philippines, has prompted the DACTA team to commence a thorough examination of the ransomware landscape.
It is recognized that ransomware can be classified into five distinct categories, as outlined below:
An illustrative diagram is provided to detail the ransomware attack vectors at a high level.
First seen in September 2019 as MedusaLocker, alternatively known as AKO Doxware, AKO Ransomware, or MedusaReborn, commenced its campaign by infiltrating and encrypting Windows-based systems globally. Prior to execution, MedusaLocker prompts the system to reboot in safe mode to circumvent active security measures. It strategically refrains from encrypting executable files to preserve the functionality of the system for ransom payment processes. MedusaLocker employs a sophisticated blend of AES and RSA-2048 encryption standards to render brute-force decryption attempts futile.
Notable Advanced Persistent Threat (APT) entities deploying MedusaLocker include is EmpireMonkey, CobaltGoblin.
EmpireMonkey, a cybercriminal syndicate with financial incentives, achieved notoriety following their February 2019 cyber-heist targeting the Bank of Valletta, resulting in an estimated €13 million in losses, although a significant portion of the funds was later recovered. The attack vector likely involved spear-phishing campaigns directed at the bank's employees, a strategy evidenced by similar phishing activities reported by HSBC Malta in October 2018.
DACTA's comprehensive examination of 1000 ransomware samples from Malware Bazaar revealed distinct patterns in attack prevalence, with notable surges in June, August, and November. The consistency of .exe file types as a vector for these attacks underscores the imperative for stringent executable management and advanced endpoint security measures.
The consistency of .exe file types (see below) as a delivery method for these attacks underscores the need for stringent executable management policies and endpoint security solutions.
Data published in December suggests a correlation with the increased detection of ransomware in November. The referenced images are sourced from the Medusa Blog, accessible via the provided Onion URL : http[:]//medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd[.]onion/
The following sample hash SHA256 51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51 was used to document the malware’s behavior on a sandbox environment.
The debug artifacts indicate that the file in question was stored on an external drive within a directory named "locker." Additionally, the file appears to utilize encryption technology, which suggests its classification could encompass both 'Locker' and 'Crypto' ransomware categories. A comprehensive manual analysis of the file yielded the subsequent information.
The malware exhibits a range of capabilities, such as anti-debugging measures, XOR-based encryption, keylogging functionality, and various interactions with the Windows operating system, including registry access, security token manipulation, and file system operations. Detailed behaviors for the identified malware functions include:
Furthermore, the malware imports various functions from a series of Dynamic Link Libraries (DLLs), indicative of sophisticated operational capabilities:
The ransomware's strategies align with MITRE ATT&CK tactics across several domains, including Collection, Defense Evasion, Discovery, Execution, and Persistence.
Tactic: Collection
Tactic: Defense Evasion
Tactic: Discovery
Tactic: Execution
Tactic: Persistence
Analysis of file signatures and behaviors reveals various tactics employed by the ransomware, including system queries, process crashes, memory allocation, evasion techniques, and indications of ransomware encryption procedures, as seen below:
A robust defense against ransomware necessitates a multi-layered security strategy, incorporating registry scanning, sandboxing, backdoor inspection, and behavior-based scanning for dynamic threat detection.
Registry Scanning:
Sandboxing:
Backdoor Inspection:
Behavior-Based Scanning:
DACTA provides expert cybersecurity services, proactively defending against digital threats. By partnering with DACTA, organizations can strengthen their security posture and foster a resilient digital ecosystem. Contact DACTA to secure your digital assets against the evolving ransomware landscape.
If you're experiencing an active security incident and need immediate assistance, contact the DACTA Incident Response Team (IRT) at support@dactaglobal.com.