The FBI, the Cybersecurity and Infrastructure Security Agency, the Financial Crimes Enforcement Network, and the Department of the Treasury have issued a joint warning regarding the MedusaLocker ransomware operation's mounting exploitation of vulnerable Microsoft Remote Desktop Protocol configurations to infiltrate target networks since May, ZDNet
Upon initial access, MedusaLocker has been distributing a PowerShell
script to facilitate network-wide ransomware spread, as well as leveraging the SMB file-sharing protocol for attached storage detection, according to the advisory. MedusaLocker then proceeds to jumpstart the LanmanWorkstation service to enable activation of registry edits; kill security software processes; encrypt victim files using the AES-256 encryption algorithm; maintain persistence; and avert standard recovery methods, said the feds, who also noted MedusaLocker's ransomware-as-a-service model.
Organizations have been advised to adopt data recovery plans, network segmentation, and offline data backups, as well as perform regular data and password backups. The feds also urged access restrictions for critical data copies.