- MedusaLocker has been targeting vulnerabilities in Remote Desktop Protocol to launch ransomware attacks, the FBI, Cybersecurity and Infrastructure Security Agency, Department of Treasury and the Financial Crimes Enforcement Network (FinCEN) warned in an advisory on Thursday.
- MedusaLocker operates under the ransomware as a service model, splitting payments with affiliates who typically get 55% to 60% of the proceeds. The group has been active as recently as May, launching phishing and spam email campaigns to gain initial access.
- A report from CyberReason said the MedusaLocker first emerged in late 2019, targeting companies across industries. The group was particularly active in the healthcare space, where many organizations were attacked in connection to the COVID-19 pandemic.
Researchers from Huntress have seen an increase during the last quarter in threat actors targeting RDP as an initial access point.
“If an organization has RDP, threat actors will brute force with endless username and password combinations until they succeed in gaining authenticated access,” Dray Agha, ThreatOps analyst at Huntress, said via email.
After gaining access to a network, hackers will use RDP to move laterally, free to move about without being monitored.
MedusaLocker uses a batch file to execute a PowerShell script, called invoke-Reflective PEInjection. Attacks typically restart machines in safe mode to avoid detection by security software.
Threat actors affiliated with MedusaLocker put ransom notes into each folder containing a file with the target organization’s encrypted data, according to the advisory. One or more email addresses are provided in order to contact the threat actors, with detailed instructions on the proper Bitcoin wallet to provide ransom payments to.