Medusa Ransomware technical analysis report

Hello cybermen, I’m about to present a repo about the Medusa locker

MedusaLocker ransomware has been active since September 2019. MedusaLocker actors typically access victims’ networks by exploiting vulnerabilities in Remote Desktop Protocol (RDP).

Once Threat Actors (TAs) access the network, they encrypt the victim’s data and leave a ransom note with instructions on how victims can communicate with the TAs in every folder while encrypting files. The ransom note tells victims to make a ransom payment to TA’s crypto wallet address.

MedusaLocker appears to work on Ransomware-as-a-Service (RaaS) model, which allows cybercriminals to rent the ransomware and its services from the developer. In the RaaS model, ransomware operators develop the ransomware and a Command and Control panel which is then used by the affiliates to launch ransomware attacks on the targets selected by their affiliates. After a successful operation, the ransomware operators and affiliates divide the ransom extorted from victims.

First, the malware is written in C and C++

by looking into section names and their virtual sizes, we are sure that it isn’t packed sample

MUTEX CREATION

once the malware is executed, it creates mutex to prevent executing more than once in the same victim.

creating mutex

Mutex is hard-coded and I can’t see it, so I used the debugger to get it

“8761ABBD-7F85–42EE-B272-A76179687c63”

its value

CHECKING FOR HIS PRIVILEGES :

as ransomware, it needs to execute at a high administration level, so it looks to checks for administrative privileges

If it isn’t running as an administrator, this ransomware employs a User Account Control (UAC) bypass technique to restart itself with elevated privileges

privilege escalation

REG KEY :

A new registry key “MDSLK” is created by the malware on the victim system. This is one of the clear indicators of MedusaLocker and marks the victim with “self” value

MDSLK

CRYPTOR INITIALIZATION :

this function tries to acquire a handle for a cryptographic service provider context. If a handler already exists, it returns true. If not, it tries to open the “Microsoft Enhanced Cryptographic Provider v1.0” provider and create a new key container. If that fails, it tries again to open the default key container. If both attempts fail, the function returns false.

RSA

AES

HOW MEDUSA ACHIEVES PERSISTANCE :

the malware copies ‘’svhost.exe’’ to //AppData which is already a hidden folder in the C partition

copying process

after I ran the malware I noticed that “svhost.exe” repeats itself as a scheduled task every 15 minutes.

CLOSING SERVICES AND DELETING THEM :

MedusaLocker terminates a list of processes and deletes system services, it checks if these services are running or not; if a service is running medusa sleeps

PROCESS TERMINATION :

the ransomware enumerates the running processes using the CreateToolhelp32Snapshot() function and then terminates the relevant process using the TerminateProcess() function.

list of terminated processes

for notice, this malware empties the recycle bin for some reason

DISABLING DATA RECOVERY SOLUTIONS :

to make it impossible to restore encrypted data, this malware deletes all system backups

EXCLUDING FOLDERS FROM ENCRYTION :

it excludes many system folders from being infected as It may cause crashing the operating system.

DATA ENCRYPTION :

The ransomware now begins encrypting the files in the victim’s machine. The data is encrypted using the “AES 256” encryption algorithm, with the encryption key further encrypted by the “RSA” public key embedded in the ransomware. Without the private key, it is impossible to decrypt the AES key.

The function gets the file attributes of the file specified in the parameter a2 using the GetFileAttributesW function and clears the read-only attribute by bitwise-ANDing the result with 0xFFFFFFFE, It then opens the file using the CreateFileW function with specific parameters, including a desired access mode of 0xC0000000 (generic read/write access), then it encrypts it, then renames the original file to a new filename using the MoveFileExW function with the MOVEFILE_REPLACE_EXISTING flag.

encrypting users’ files

encrypting networks shared files

DELETING CRYPTOKEY :

after the encryption routine is finished, the malware destroys the key by using cryptdestroytkey APi

RANSOM NOTE

MITRE ATT&CK TECHNIQUES

Persistence :Scheduled Task/Job: Scheduled Task :T1053.005
Privilege Escalation : Bypass User Account Control: T1548.002
Defense Evasion : Disable or Modify Tools :T1562.001

IOCs

hashes :
md5: 762eaa081c9f641aba9ab75b7ae6ee09
sha1: 97f2ba64780efd18943e2cfd67f18df90e0bf39a
sha256: 36baceccfe27fb8b1be3d4f0a9e81b9028640aeedf068d71b3a6d080e698a793

emails: href=”mailto:rdp_unlock@outlook.com”>rdp_unlock@outlook.com</a><br>
        href=”mailto:rdpunlock@cock.li”>rdpunlock@cock.li</a
reg_keys: "MDSLK"

mutex: "8761ABBD-7F85–42EE-B272-A76179687c63"