- The MedusaLocker ransomware is a menace to network drives and inter-related systems.
- The ransomware is jogging just about every 15 minutes, scanning for recently related units on the network.
- Medusa attributes a strong encryption implementation and pretty a number of Windows-linked persistence mechanisms.
Scientists at Cisco Talos are turning their highlight around the “MedusaLocker” ransomware, one of the most energetic and prolific malware resources in existence right now. The unique piece of ransomware was initial deployed final yr, but it has remained appropriate through the advancement of added variants, superior persistence mechanisms, and deep network infiltration capabilities. MedusaLocker is combining a established of standard ransomware qualities with the means to map community drives, forcing their remapping and eventual content material encryption. It means that if it finds its way into a single system on a network, it may possibly result in in depth damage on all drives in that network.
MedusaLocker is copying alone to the %APPDATA%Roaming listing, and then results in scheduled tasks on Home windows with 15-minute intervals. This is for scanning for, finding and encrypting any media connected to the contaminated procedure or the community immediately after the original operate. It is precisely why you are normally suggested to disconnect infected desktops from the network. The ransomware is making use of the straight-forward “.encrypted” extension for the encrypted information, while the ransom be aware that is generated on all directories is really regular. As for the encryption, all variants use AES 256 with an RSA-2048 key embedded in the executable.
To deprive victims of the potential to recover their systems, MedusaLocker is also deleting the “vssadmin” utility from Windows, which is used for the restoring of shadow copies/backups. If users ended up able to restore from a backup, they wouldn’t fork out the actors a dime. In addition, MedusaLocker is trying to pressure the re-connection of the contaminated program with the network, generating use of a Home windows registry entry for this reason. To reduce this chance, you are recommended to disconnect the program in a actual physical method, these as by eradicating the connecting cable, for example.
As Cisco’s team factors out, to protect versus the MedusaLocker menace, you must implement electronic mail and spam filters, complete frequent updates on all procedure parts, empower multi-aspect authentication wherever probable, and use an up to date endpoint security software program. As for the backup technique, you really should however manage a stable prepare in this regard, continue to keep your backups offline, and only attempt to restore on 100% cleaned units. Legacy protection items will not be sufficient with the particular ransomware pressure, whilst widespread examination and reverse engineering applications are also actively blocked by MedusaLocker.
Created by ODD Balls