🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!
Schedule a DemoAuthor: Anandeshwar Unnikrishnan
Editor: Bablu Kumar
Research indicates that while ransomware breach costs have declined slightly from USD 4.62 million to USD 4.54 million in 2021, ransomware is still responsible for 11% of breaches. The most targeted sectors (about 57%) are government, technology, healthcare, and academic institutions.
MedusaLocker is a ransomware family that appeared in September 2019 and was employed rapidly for attacks on companies from all over the world. It was particularly aimed at hospitals and other organizations in the healthcare industry.
This technical report is inspired by the CISA Cybersecurity Advisory and provides an in-depth analysis of the malware and its privilege escalation, anti-detection, network scanning, encryption techniques, etc.
Also read the detailed report on Increased Cyber Attacks on the Global Healthcare Sector
The MedusaLocker initiates its execution by retrieving the locale information of the victim such as the region and language set by the user.
A mutex is created to ensure that multiple instances of malware are not running on the compromised system.
After the mutex check, the malware proceeds to check its privilege escalation by obtaining a process token of the malware and checking if the token is elevated via the “TokenElevation Class” passed to advapi32.GetTokenInformation API. This way the malware can confirm if it is running with elevated privileges of an administrator shell.
If the malware is not running with elevated privileges, it performs a UAC elevation bypass via the CMSTPLUA COM interface. UAC (User Account Control) bypass mechanism is an overused and very common vector seen in ransomware to gain access to the resources with high integrity level, thus obtaining administrative privileges on the target system.
Also Read What Is Redeemer Ransomware and How Does It Spread: A Technical Analysis
After elevating the process, the malware proceeds to disable two features, EnableLUA and ConsentPromptBehaviorAdmin, responsible for notifying the user of any suspicious activity on the system via registry.
A new registry key “MDSLK” is created by the malware on the victim system. This is one of the clear indicators of MedusaLocker.
The MedusaLocker uses AES and RSA in its locking operation. The Advanced Encryption Standard (AES) is a symmetric block cipher implemented to encrypt sensitive data. RSA is a public key cryptosystem used for secure data transmission.
The user data is encrypted using AES and the AES key is protected by RSA encryption.
Initialization of cryptographic context for RSA by the malware
Initialization of cryptographic context for AES by the malware
MedusaLocker proceeds to copy the malware file to %APPDATA% of the user as svhost.exe. The AppData folder contains custom settings and other information that system applications need for their operation. It is a hidden folder that includes application settings, files, and data unique to different applications, along with all the data specific to the system user profile.
Then, by abusing the COM TaskScheduler class 0f87369f-a4e5-4cfc-bd3e-73e6154572dd, a scheduled job is created on the target system that executes the malware, in every 15 minutes.
The rclsid value helps in identifying the specific class targeted by the malware to achieve an objective. In this case, the ID value 0f87369f-a4e5-4cfc-bd3e-73e6154572dd confirms that the malware is accessing the task scheduler class implemented by C:\Windows\System32\taskschd.dll.
A volume or logical drive is a single accessible storage area with a single file system, usually resident on a single partition of a hard disk. Before the encryption process, the MedusaLocker enumerates (enumeration exposes potential security flaws) the local volumes and attached shares on the target system. On further investigating the code, the following APIs were found to be used to perform the enumeration:
The malware targets the SystemReserved partition by mounting it via SetVolumeMountPointW. During the locking phase, the data of the reserved partition gets encrypted to prevent data recovery.
Also read Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)
After volume enumeration and mounting the reserved partition, the MedusaLocker terminates a list of processes and deletes system services. The table below contains a list of services targeted by Medusa.
Services to be Terminated | ||||
---|---|---|---|---|
wrapper | DefWatch | ccEvtMgr | ccSetMgr | SavRoam |
sqlservr | sqlagent | sqladhlp | Culserver | RTVscan |
sqlbrowser | SQLADHLP | QBIDPService | Intuit.QuickBooks.FCS | QBCFMonitorService |
sqlwriter | msmdsrv | SQLADHLP | tomcat6 | zhudongfangyu |
vmware-usbarbitator64 | vmware-converter | dbsrv12 | dbeng8 |
The malware opens each service in the list via the OpenServiceW API and monitors its state via QueryServiceStatusEx. If the state of the service is SERVICE_STOP_PENDING then the malware sleeps till a new state change happens.
Once a change in state occurs, Medusa retrieves and stops services (depending on the target service) by sending a SERVICE_CONTROL_STOP control signal.
After stopping the service, the malware deletes this service as well.
The locker retrieves a pointer to the structure that holds active processes on the system and walks through the list via CreateToolhelp32Snapshot, Process32FirstW, and Process32NextW APIs. If a match is found, the process is terminated via the TerminateProcess API.
The table below contains the list of running processes targeted by Medusa.
Running Processes Being Targeted | ||||
---|---|---|---|---|
wxServer.exe | wxServerView | sqlservr.exe | sqlmangr.exe | RAgui.exe |
supervise.exe | Culture.exe | RTVscan.exe | Defwatch.exe | sqlbrowser.exe |
winword.exe | QBW32.exe | QBDBMgr.exe | qbupdate.exe | QBCFMonitorService.exe |
axlbridge.exe | QBIDPService.exe | httpd.exe | fdlauncher.exe | MsDtSrvr.exe |
tomcat6.exe | java.exe | 360se.exe | 360doctor.exe | wdswfsafe.exe |
fdlauncher.exe | fdhost.exe | GDscan.exe | ZhuDongFangYu.exe |
Once all the processes and services have been enumerated, the malware proceeds to remove the backups and neutralizes the recovery mechanisms before encrypting data.
To execute the above string commands, a new process is created and the string is passed as a parameter.
The malware then proceeds to empty the recycle bin.
The MedusaLocker enables the EnableLinkedConnections feature in the registry to make the remote shares accessible from the elevated administrative process session. This feature plays an important role in a networked environment, especially when the user wants to access a network resource from an elevated process.
The ransomware is capable of crafting ICMP packets and sending them across the network to scan for connected instances and to enumerate attached shares.
Also read Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 2)
After performing the scan, the MedusaLocker uses NetShareEnum API to gather information about the resources shared by the remote server in the network. This shows the malware’s capability to infect resources connected to the compromised network.
The locker has separate control flows for locking user data on a local system and network-connected hosts. The encryption routine (sub_5258E0) used in both cases is the same.
The encryption routine is implemented as follows:
Executable Hashes |
---|
634d84758d8d922bbfb0ad3c904c38fc7989f11503877acf02ad5dad3775df7a |
c41926a4e667a38bd712cd8fff2c555c51d7f719a949c9be8c1f74232100444b |
98c9e56cba271bf7b32fc17d7966d067d9b549594f8dc60c941f93346e376c00 |
8939141fb565c044895627bbeb522d840d24899dec53545e4a925012dbf83230 |
ec2ec1c316045d5e2e43cc0f1df738e6367b520310a4b7a644717d3aebda43f4 |
6c51f28a6ab35c91e789a4b1a05032c87a3f03006019ba4997dc092ad1c8a625 |
cb12325d13acb03ad4f9977f426baf8b4688af04d4ffe23aa5f1bbd747a147c0 |
fbe10da8d483a0db6686b1f03f18b00dbc60c69fb9a9f4a941764c2c3426367c |
f1c361bb3b649918bc5b3ad3fc5cbd1bbd7c585fbe2557410e267d161d3bb998 |
465ab4311a7db9f0bc10921cf6a0da7a746c4023dd78fdcec1c253eee69e5b9d |
b15840fb0547fc774f371166adb89cd7a58647d4e379256a2f9806dd5a338627 |
99a72b56725196298391f3d52b8536b018aa8b60d97c443161e912430079ed30 |
19e31469f150f69bda363c8a3454113236620aa44155dbe845e7689522724b0b |
c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4 |
58a0db1ae0d7d8c5cb5db5e5a24fd1088b8029a4e51c02e7b77d400c17bcb39a |
66a13e8102f809e23e0ad0ba88ced5eecfa319797c9f709d090994a7143d858a |
a3fe92224060ec183a25296999c18d4f86149649f1a701ac91b04d73e8678495 |
dbac4f2fffcb4e09aad772895647e8f161b1ac713592fe47c5e8207c85722f13 |
Discover how to navigate and protect against Dark Web threats. Learn about cyber risks, real-time monitoring, and securing your digital presence.
On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.
Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
min read
Technical Analysis of MedusaLocker Ransomware
Author: Anandeshwar Unnikrishnan
Editor: Bablu Kumar
Research indicates that while ransomware breach costs have declined slightly from USD 4.62 million to USD 4.54 million in 2021, ransomware is still responsible for 11% of breaches. The most targeted sectors (about 57%) are government, technology, healthcare, and academic institutions.
MedusaLocker is a ransomware family that appeared in September 2019 and was employed rapidly for attacks on companies from all over the world. It was particularly aimed at hospitals and other organizations in the healthcare industry.
This technical report is inspired by the CISA Cybersecurity Advisory and provides an in-depth analysis of the malware and its privilege escalation, anti-detection, network scanning, encryption techniques, etc.
Also read the detailed report on Increased Cyber Attacks on the Global Healthcare Sector
The MedusaLocker initiates its execution by retrieving the locale information of the victim such as the region and language set by the user.
A mutex is created to ensure that multiple instances of malware are not running on the compromised system.
After the mutex check, the malware proceeds to check its privilege escalation by obtaining a process token of the malware and checking if the token is elevated via the “TokenElevation Class” passed to advapi32.GetTokenInformation API. This way the malware can confirm if it is running with elevated privileges of an administrator shell.
If the malware is not running with elevated privileges, it performs a UAC elevation bypass via the CMSTPLUA COM interface. UAC (User Account Control) bypass mechanism is an overused and very common vector seen in ransomware to gain access to the resources with high integrity level, thus obtaining administrative privileges on the target system.
Also Read What Is Redeemer Ransomware and How Does It Spread: A Technical Analysis
After elevating the process, the malware proceeds to disable two features, EnableLUA and ConsentPromptBehaviorAdmin, responsible for notifying the user of any suspicious activity on the system via registry.
A new registry key “MDSLK” is created by the malware on the victim system. This is one of the clear indicators of MedusaLocker.
The MedusaLocker uses AES and RSA in its locking operation. The Advanced Encryption Standard (AES) is a symmetric block cipher implemented to encrypt sensitive data. RSA is a public key cryptosystem used for secure data transmission.
The user data is encrypted using AES and the AES key is protected by RSA encryption.
Initialization of cryptographic context for RSA by the malware
Initialization of cryptographic context for AES by the malware
MedusaLocker proceeds to copy the malware file to %APPDATA% of the user as svhost.exe. The AppData folder contains custom settings and other information that system applications need for their operation. It is a hidden folder that includes application settings, files, and data unique to different applications, along with all the data specific to the system user profile.
Then, by abusing the COM TaskScheduler class 0f87369f-a4e5-4cfc-bd3e-73e6154572dd, a scheduled job is created on the target system that executes the malware, in every 15 minutes.
The rclsid value helps in identifying the specific class targeted by the malware to achieve an objective. In this case, the ID value 0f87369f-a4e5-4cfc-bd3e-73e6154572dd confirms that the malware is accessing the task scheduler class implemented by C:\Windows\System32\taskschd.dll.
A volume or logical drive is a single accessible storage area with a single file system, usually resident on a single partition of a hard disk. Before the encryption process, the MedusaLocker enumerates (enumeration exposes potential security flaws) the local volumes and attached shares on the target system. On further investigating the code, the following APIs were found to be used to perform the enumeration:
The malware targets the SystemReserved partition by mounting it via SetVolumeMountPointW. During the locking phase, the data of the reserved partition gets encrypted to prevent data recovery.
Also read Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)
After volume enumeration and mounting the reserved partition, the MedusaLocker terminates a list of processes and deletes system services. The table below contains a list of services targeted by Medusa.
Services to be Terminated | ||||
---|---|---|---|---|
wrapper | DefWatch | ccEvtMgr | ccSetMgr | SavRoam |
sqlservr | sqlagent | sqladhlp | Culserver | RTVscan |
sqlbrowser | SQLADHLP | QBIDPService | Intuit.QuickBooks.FCS | QBCFMonitorService |
sqlwriter | msmdsrv | SQLADHLP | tomcat6 | zhudongfangyu |
vmware-usbarbitator64 | vmware-converter | dbsrv12 | dbeng8 |
The malware opens each service in the list via the OpenServiceW API and monitors its state via QueryServiceStatusEx. If the state of the service is SERVICE_STOP_PENDING then the malware sleeps till a new state change happens.
Once a change in state occurs, Medusa retrieves and stops services (depending on the target service) by sending a SERVICE_CONTROL_STOP control signal.
After stopping the service, the malware deletes this service as well.
The locker retrieves a pointer to the structure that holds active processes on the system and walks through the list via CreateToolhelp32Snapshot, Process32FirstW, and Process32NextW APIs. If a match is found, the process is terminated via the TerminateProcess API.
The table below contains the list of running processes targeted by Medusa.
Running Processes Being Targeted | ||||
---|---|---|---|---|
wxServer.exe | wxServerView | sqlservr.exe | sqlmangr.exe | RAgui.exe |
supervise.exe | Culture.exe | RTVscan.exe | Defwatch.exe | sqlbrowser.exe |
winword.exe | QBW32.exe | QBDBMgr.exe | qbupdate.exe | QBCFMonitorService.exe |
axlbridge.exe | QBIDPService.exe | httpd.exe | fdlauncher.exe | MsDtSrvr.exe |
tomcat6.exe | java.exe | 360se.exe | 360doctor.exe | wdswfsafe.exe |
fdlauncher.exe | fdhost.exe | GDscan.exe | ZhuDongFangYu.exe |
Once all the processes and services have been enumerated, the malware proceeds to remove the backups and neutralizes the recovery mechanisms before encrypting data.
To execute the above string commands, a new process is created and the string is passed as a parameter.
The malware then proceeds to empty the recycle bin.
The MedusaLocker enables the EnableLinkedConnections feature in the registry to make the remote shares accessible from the elevated administrative process session. This feature plays an important role in a networked environment, especially when the user wants to access a network resource from an elevated process.
The ransomware is capable of crafting ICMP packets and sending them across the network to scan for connected instances and to enumerate attached shares.
Also read Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 2)
After performing the scan, the MedusaLocker uses NetShareEnum API to gather information about the resources shared by the remote server in the network. This shows the malware’s capability to infect resources connected to the compromised network.
The locker has separate control flows for locking user data on a local system and network-connected hosts. The encryption routine (sub_5258E0) used in both cases is the same.
The encryption routine is implemented as follows:
Executable Hashes |
---|
634d84758d8d922bbfb0ad3c904c38fc7989f11503877acf02ad5dad3775df7a |
c41926a4e667a38bd712cd8fff2c555c51d7f719a949c9be8c1f74232100444b |
98c9e56cba271bf7b32fc17d7966d067d9b549594f8dc60c941f93346e376c00 |
8939141fb565c044895627bbeb522d840d24899dec53545e4a925012dbf83230 |
ec2ec1c316045d5e2e43cc0f1df738e6367b520310a4b7a644717d3aebda43f4 |
6c51f28a6ab35c91e789a4b1a05032c87a3f03006019ba4997dc092ad1c8a625 |
cb12325d13acb03ad4f9977f426baf8b4688af04d4ffe23aa5f1bbd747a147c0 |
fbe10da8d483a0db6686b1f03f18b00dbc60c69fb9a9f4a941764c2c3426367c |
f1c361bb3b649918bc5b3ad3fc5cbd1bbd7c585fbe2557410e267d161d3bb998 |
465ab4311a7db9f0bc10921cf6a0da7a746c4023dd78fdcec1c253eee69e5b9d |
b15840fb0547fc774f371166adb89cd7a58647d4e379256a2f9806dd5a338627 |
99a72b56725196298391f3d52b8536b018aa8b60d97c443161e912430079ed30 |
19e31469f150f69bda363c8a3454113236620aa44155dbe845e7689522724b0b |
c79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4 |
58a0db1ae0d7d8c5cb5db5e5a24fd1088b8029a4e51c02e7b77d400c17bcb39a |
66a13e8102f809e23e0ad0ba88ced5eecfa319797c9f709d090994a7143d858a |
a3fe92224060ec183a25296999c18d4f86149649f1a701ac91b04d73e8678495 |
dbac4f2fffcb4e09aad772895647e8f161b1ac713592fe47c5e8207c85722f13 |