Getty Images

MedusaLocker Ransomware Leveraged In Healthcare Cyberattacks

HC3 described the MedusaLocker ransomware variant as “lesser known but potent” and recommended that healthcare security defenders apply necessary mitigations.

MedusaLocker ransomware is the latest variant used to encrypt healthcare systems, the Health Sector Cybersecurity Coordination Center (HC3) warned in its latest analyst note.

The note follows a July 2022 alert co-authored by the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) about MedusaLocker’s tactics.

MedusaLocker may be lesser known than some of the major ransomware variants that have been used against healthcare recently, such as Royal and Clop, but it still has the ability to cause significant damage.

As such, HC3 said that MedusaLocker “should also be a source of concern and attention by healthcare security decision makers and defenders” in addition to well-known cyber threat groups.

MedusaLocker was first observed in September 2019 and has since made healthcare its primary target. Specifically, the group took advantage of confusion surrounding the COVID-19 pandemic to infiltrate systems. The group operates under a Ransomware-as-a-Service (RaaS) model.

“As of 2022, Remote Desktop Protocol (RDP) vulnerabilities are the preferred Tactics, Techniques, and Procedures (TTP) to gain access to targeted networks by cyber criminals behind the ransomware,” HC3 stated. “Moreover, MedusaLocker threat actors may still gain entry into networks via phishing campaigns in which the malware is attached to emails.”

HC3’s alert contained detailed TTPs to watch out for, highlighting the fact that MedusaLocker typically propagates throughout a network via a batch file that executes a PowerShell script.

“MedusaLocker will next disable security and forensic software, restart the machine in safe mode to prevent detection or ransomware, and then encrypt files with AES-256 encryption algorithm,” the analyst noted continued.

“MedusaLocker will further establish persistence by deleting local backups, disabling start-up recovery to ultimately place a ransom note into every folder containing a file with compromised host’s encrypted data.”

To defend against MedusaLocker, healthcare organizations should continue to employ cyber hygiene best practices. Since MedusaLocker is actively targeting unsecured RDP servers, HC3 urged defenders to require all RDP instances to have multiple levels of access controls.

Organizations should prioritize patching RDP vulnerabilities, creating strong passwords and enforcing multi-factor authentication (MFA), and monitoring RDP utilization.

In addition, organizations should consider using a VPN, disabling hyperlinks in received emails, and maintaining a strong incident response plan.

Next Steps

Dig Deeper on Cybersecurity strategies