In order to draw attention to current MedusaLocker ransomware activity, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Treasury, and the Financial Crime Enforcement Network (FinCEN) have issued a combined advisory.
For those who are unaware, MedusaLocker first appeared in 2019 and has since increased its assault surface to increase earnings.
What is said in the advisory?
As of May 2022, the ransomware’s developers largely depend on Remote Desktop Protocol (RDP) flaws to get access to victims’ networks. The ransomware encrypts the victims’ data upon execution and then drops a ransom letter with instructions for decrypting files.
In order to pay the ransomware, the message advises victims to a specific Bitcoin wallet address.
According to the advise, the affiliate will receive between 55 and 60 percent of any ransom money obtained as a result of their acts, with the remaining money going to the operators.
Mode of operation
Phishing emails that include RDP exploits are the first step in the infection chain process.
After gaining initial access, the actors use a PowerShell script to spread the ransomware throughout the network.
In order to sustain persistence for a longer amount of time, the ransomware also kills the processes of well-known security and forensic software.
When the computer is in safe mode, MedusaLocker encrypts data using the AES-256 and RSA-2048 algorithms.
How can businesses ensure their safety?
To stop such assaults, federal officials have suggested a number of mitigating measures. Among them is developing a recovery strategy to preserve confidential or private information. Additionally, organisations must ensure that copies of crucial data are not available to outsiders for editing or erasing. Staying secure also involves implementing network segmentation and maintaining offline data backups.