Project Hyphae
Search

MedusaLocker…maybe?

Share This Post

Alright, so for those of you that I’ve worked with you know I’m a pretty straight shooter so I’ll be honest, this one has me confused.

This week, CISA issued an alert about MedusaLocker ransomware. This is great, let’s get folks aware of any emerging threats so that they can properly protect and respond. Where I’m a little confused is that MedusaLocker isn’t exactly new. Here on the FRSecure CSIRT team, we saw it a couple of years ago and haven’t seen it since. The team has been digging around the internet, and we’re not finding any indications that this is re-emerging, and all information seems to just point back to this CISA alert. To be fair, it does seem the FBI has seen it in use as of May 2022, so maybe it’s out there but other teams and researchers just aren’t talking about it.

The IoCs and TTPs listed in the CISA alert seem to echo our experience, as many of them are very old (and the IoCs are very likely no longer valid as these things change quickly).

With all of that said, knowing that we’re going into a holiday weekend here in the U.S.A., we should treat it as a potential threat and be on alert. We all know that this is a popular time of the year for attacks, so we should use anything we can to protect ourselves.

The guidance in the alert is fairly straightforward and good for more than just MedusaLocker:

  • Don’t allow externally available Remote Desktop Protocol.
  • Enforce Multifactor Authentication (MFA) everywhere.
  • Disable unused ports.
  • Update any and all systems to the latest security patch levels.
  • Many other great items are listed at the link below.

One quick note, though we haven’t been able to confirm this, is that we do see some reports that provide some relation between SunnyDay ransomware and MedusaLocker. Additionally, there are some notes that Apache and PHP vulnerabilities may be being targeted. This is a good time to ensure that ALL externally available sites and applications are fully patched.

As always, if you have any questions or concerns reach out to your security team or any security resources you have, including FRSecure of course, and don’t be afraid to get help when you need it.

Be safe out there, keep your eyes open, and try to enjoy the holiday anyway!

Source: https://www.cisa.gov/uscert/ncas/alerts/aa22-181a



Reach out to our incident response team for help

More To Explore

Information Security News 4-22-2024

Cisco Duo Warns Third-Party Data Breach Exposed SMS MFA Logs Article Link: https://www.bleepingcomputer.com/news/security/cisco-duo-warns-third-party-data-breach-exposed-sms-mfa-logs/ Notorious Russian Hacking Unit Linked to Breach of Texas Water Facility Article

Shane Farmer April 22, 2024

Information Security News 4-15-2024

Roku Disclosed a Security Incident Impacting 576,000 Accounts Article Link: https://securityaffairs.com/161765/data-breach/roku-second-data-breach.html FBI Warns of Massive Wave of Road Toll SMS Phishing Attacks Article Link: https://www.bleepingcomputer.com/news/security/fbi-warns-of-massive-wave-of-road-toll-sms-phishing-attacks/

Shane Farmer April 15, 2024

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.