Project Hyphae

MedusaLocker…maybe?

Share This Post

Alright, so for those of you that I’ve worked with you know I’m a pretty straight shooter so I’ll be honest, this one has me confused.

This week, CISA issued an alert about MedusaLocker ransomware. This is great, let’s get folks aware of any emerging threats so that they can properly protect and respond. Where I’m a little confused is that MedusaLocker isn’t exactly new. Here on the FRSecure CSIRT team, we saw it a couple of years ago and haven’t seen it since. The team has been digging around the internet, and we’re not finding any indications that this is re-emerging, and all information seems to just point back to this CISA alert. To be fair, it does seem the FBI has seen it in use as of May 2022, so maybe it’s out there but other teams and researchers just aren’t talking about it.

The IoCs and TTPs listed in the CISA alert seem to echo our experience, as many of them are very old (and the IoCs are very likely no longer valid as these things change quickly).

With all of that said, knowing that we’re going into a holiday weekend here in the U.S.A., we should treat it as a potential threat and be on alert. We all know that this is a popular time of the year for attacks, so we should use anything we can to protect ourselves.

The guidance in the alert is fairly straightforward and good for more than just MedusaLocker:

  • Don’t allow externally available Remote Desktop Protocol.
  • Enforce Multifactor Authentication (MFA) everywhere.
  • Disable unused ports.
  • Update any and all systems to the latest security patch levels.
  • Many other great items are listed at the link below.

One quick note, though we haven’t been able to confirm this, is that we do see some reports that provide some relation between SunnyDay ransomware and MedusaLocker. Additionally, there are some notes that Apache and PHP vulnerabilities may be being targeted. This is a good time to ensure that ALL externally available sites and applications are fully patched.

As always, if you have any questions or concerns reach out to your security team or any security resources you have, including FRSecure of course, and don’t be afraid to get help when you need it.

Be safe out there, keep your eyes open, and try to enjoy the holiday anyway!

Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-181a

More To Explore

The Teams Call is Coming from Inside the House

Researchers at Vectra stumbled across some genuinely troubling design flaws in Microsoft Teams.  Essentially, Teams stores authentication tokens in plaintext capable of granting access to

When Oktapuses Attack

Group-IB, a Singapore based security and threat research company, identified a multiphase smishing (I really hate that word) campaign complete with MFA capture. The campaign

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.