As it stands, ransomware is the cybersecurity problem that refuses to disappear. What started as malware specifically targeting home users is now targeting government departments and enterprise organizations. Not even Fortune 500 companies are safe from being infected, despite often having dedicated security staff. The reasons for ransomware’s continued rise are numerous and the more one digs, the more complex the picture becomes. However, studying various strains of ransomware reveals how ransomware infections can be combatted. The advice sadly is not always followed, but that is an entire topic of discussion beyond the scope of this article.
One such strain, MedusaLocker, is relatively new to the ransomware scene and reveals more on how hackers look to infect devices and encrypt data. Medusa, the snake-headed monster of Greek mythology, is an apt symbol for ransomware, not to mention the ransomware named after the Gorgon killed by Perseus. But killing this ransomware stain is looking just as difficult as Perseus’ struggles.
MedusaLocker’s Origin Story
Discovered toward the end of September 2019 by MalwareHunterTeam, MedusaLocker began infecting users around the globe. In just over 30 days since its discovery, MedusaLocker was being submitted an average of nearly 10 times a day, according to the ID Ransomware site. This may not appear to be staggering in terms of numbers, but for a new ransomware strain, it made a big enough splash to get noticed. After a month of activity, news articles and government warnings started notifying users of the new threat.
Since MedusaLocker’s discovery, it has managed to fly under the radar of public notice, to a large extent. The last time a mention of any significance about the ransomware was made was in February 2020. The mention of the ransomware was namely a Twitter post detailing a new variant. Other than that, the ransomware is surrounded by mystery. This may be due in part to the media giving more attention to Ryuk, Sodinokibi, DoppelPaymer and Maze, which have all either released or threatened to release stolen data taken from victims if the ransom is not paid. These other variants also tend to hog the limelight by successfully targeting and infecting the so-called “big game” targets—major corporations or government departments that are more likely to pay exorbitant sums when compared to the far more expensive alternatives.
What Do We Know?
While much of MedusaLocker and those behind the ransomware remain a mystery, analysis of the code and the malware’s operation has revealed a lot. Researchers are still unsure how exactly MedusaLocker is delivered and installed; however, some believe the evidence points strongly toward the malicious payloads being delivered by spam emails, with the malware directly attached to the email. Despite not knowing how exactly MedusaLocker is delivered and initiated, much is known how the ransomware does what it is designed to do, namely encrypting data.
Upon execution, MedusaLocker does do something not seen with many other ransomware strains: The ransomware will take steps to ensure it is able to infect not only the targeted machine but also remote and adjacent hosts. The process it follows enables it to not only infect mapped network drives but also encrypt data on them. To better complete this task, MedusaLocker goes so far as to restart the LanmanWorkstation service, which is responsible for creating and maintaining network connections via the SMB protocol. The restarting of the service forces all the configuration changes MedusaLocker imposes on the service not only on the infected machine but also across the network.
Once this is complete, MedusaLocker looks to prevent detection by various antivirus products. It does this by terminating processes links to security products including G Data, Qihoo 360 and Symantec. Further, the ransomware looks to prevent applications typically used by security researchers to analyze and reverse-engineer malware such as MS SQL, Apache Tomcat and VMware. But security applications and those used for reverse-engineering are not the only things MedusaLocker targets; the malware also goes after applications associated with accounting software. Intuit QuickBooks does not allow for modification of files already opened by the package as a security measure; however, by terminating these processes MedusaLocker hopes to also be able to encrypt those files, which could be vitally important to the daily operations of a company.
MedusaLocker’s Encryption Routine
Like many modern ransomware strains, MedusaLocker uses AES 256 to encrypt data. One of the reasons why this algorithm is used is its incredibly strong level of encryption protection granted by including a 256 key. To crack such an encryption key a person would need to try more combinations than there are atoms in the observable universe. This makes AES 256 virtually impossible to crack by brute force methods. There are other methods of breaking the encryption key via side-channel attacks; however, for those generally infected by ransomware, performing such an operation is far beyond their pay grade and ability.
MedusaLocker goes one step further, encrypting the AES 256 key using an RSA-2048 key. Unlike other ransomware strains that target specific file extensions for encrypting, MedusaLocker does nearly the exact opposite—it whitelists hard-coded file extensions during the encryption process but will ignore files with the .encrypted extension so that files already encrypted are ignored. To do this the malware needs to run at set intervals repeatedly to scan for new files to encrypt. Since its discovery MedusaLocker has added the following extensions to encrypted files: .newlock, .skynet, .nlocker, .bomber, .breakingbad, .locker16.
As mentioned above, MedusaLocker runs at set intervals when encrypting data. Between searches for more files to encrypt, the malware will sleep for 60 seconds, then begin another search. Further, to remain persistent on the infected machine the malware creates a scheduled task every 10 to 30 minutes. This ability to ignore already encrypted files makes the process far more efficient than previous strains of ransomware. This ability to ignore certain file extensions is extended to ignore critical files and drive locations that would fundamentally prevent the malware’s operators from securing a payday.
What we do know about the ransom is how the note is delivered to the infected machine. In every file that data is encrypted, the ransomware will create a ransom note named HOW_TO_RECOVER_DATA.html or Readme.html that contains two email addresses to contact for payment instructions. The note contains no instructions on the amount to be paid. This is perhaps an indicator that the operators apply a variable pricing scheme dependent on the victim. This may be further evidence that MedusaLocker is part of the big game family of ransomware strains targeting larger organizations.
Screenshot of MedusaLocker ransom demanding message:
To better detect if infected by MedusaLocker the ransom notes text has been provided below (including the poor grammar and spelling errors),
“All your data are encrypted!
Your files are encrypted, and currently unavailable.
You can check it: all files on you computer has new expansion.
By the way, everything is possible to recover (restore), but you need to buy a unique decryptor.
Otherwise, you never cant return your data.
Its just a business. If we do not do our work and liabilities – nobody will not cooperate with us.
To verify the possibility of the recovery of your files we can decrypted 1 file for free.
Attach 1 file to the letter (no more than 10Mb). Indicate your personal ID on the letter:
– Attempts of change files by yourself will result in a loose of data.
– Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.
– Use any third party software for restoring your data or antivirus solutions will result in a loose of data.
– Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.
– If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause just we have the private key.”
At the time of writing there appears to be no readily available decryptor available to the public. The bad news doesn’t end there: MedusaLocker aggressively targets local backups and VSS/shadow copies, making the manual recovery of data without paying the ransom a daunting task. MedusaLocker not only targets local backups but will also disable recovery options via a startup process.
Gazing Into a Crystal Ball
Given the amount of information we have on MedusaLocker and the massive gaps in our knowledge, guessing about the future of the ransomware is as easy as staring into a crystal ball and predicting the future. Despite this, we know that MedusaLocker exhibits trends we are seeing in other ransomware strains, namely variable pricing and aggressively targeting backups or manual recovery methods. This places MedusaLocker high on the threat agenda despite its limited distribution.
With the ransomware continually flying under the radar, it might mean that MedusaLocker’s operators are here for the long haul. Not looking to dethrone the major players including Ryuk and Sodinokibi, MedusaLocker may look to slowly increase the numbers of infections and generate ransom payments over time rather than search quickly for a massive payday.