CISA, FBI, FinCEN Warn of MedusaLocker Ransomware Cyber Risks

The Cybersecurity and Infrastructure Security Agency (CISA), The Federal Bureau of Investigation (FBI), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) recently released an alert about MedusaLocker ransomware.

The federal agencies have observed MedusaLocker actors exploiting vulnerabilities in Remote Desktop Protocol (RDP) as recently as May 2022. The threat actors typically encrypt their victim’s data and issue a ransom note with instructions in each folder containing an encrypted file.

The note directs the victims to pay the ransom to a specific Bitcoin wallet address, the alert stated.

“MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments,” the alert continued.

“Typical RaaS models involve the ransomware developer and various affiliates that deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder.”

MedusaLocker actors also frequently use phishing and spam email campaigns as initial access vectors. The actors typically use a batch file to execute a specific PowerShell script, which propagates MedusaLocker throughout the network.

CISA provided detailed indicators of compromise (IOCs), including associated payment wallets, ransomware note file names, encrypted file extensions, email addresses, TOR addresses, and IP addresses.

 “This joint agency advisory contains very detailed and actionable indicators of compromise. The advisory also highlights the danger of unsecured remote desktop protocol and phishing emails as the initial attack vector,” John Riggi, national advisor for cybersecurity and risk at the American Hospital Association (AHA) emphasized in a separate release.

“The ‘ransomware as a service’ business model used by the MedusaLocker gang facilitates the continuing global proliferation of ransomware — even by relatively unsophisticated cyber actors. It is strongly recommended that organizations continue to emphasize phishing email education for staff, exercise cyber incident response plans, and ensure the segregation and security of network and data backups, among the many helpful risk mitigation recommendations contained in the advisory.” 

CISA, the FBI, the Treasury Department, and FinCEN urged organizations to implement a reliable recovery plan, consider adding an email banner to emails received from outside the organization, and enforce multifactor authentication (MFA).

Organizations should also review domain controllers, servers, workstations, and active directories for unrecognized accounts and use the principle of least privilege when configuring access controls, the alert concluded.