The newly discovered ransomware called MedusaLocker won’t exactly turn your computer to stone, but it might as well, considering your files will be just as useless.
Researchers from MalwareHunterTeam first took note of the threat in late September, when the ransomware started racking up its first known victims. (The company acknowledges the ransomware in a tweet here.)
According to an Oct. 22 report from BleepingComputer, the ransomware uses a combination of AES and RSA-2048 to encrypt file with the extensions .exe, .dll, .sys, .ini, .lnk, .rdp, .encrypted and other extensions used for encrypted files. It also encrypts files found in multiple folders, including USERPROFILE, PROGRAMFILES (x86), programData, \AppData, WINDIR, \Application Data and \Program Files.
Depending on the variant, the ransom appends the affected files with one of several extensions, including the TV and movie-themed .breakingbad and .skynet.
MedusaLocker performs a number of startup routines that prep infected computers for encryption. “It will create the Registry value EnableLinkedConnections under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System registry key and set it to 1. This is done to make sure mapped drives are accessible even in a UAC launched process,” explains BleepingComputer owner Lawrence Abrams in the report. “It will also restart the LanmanWorkstation server in order to make sure that Windows networking is running and that mapped network drives are accessible.”
Next, MedusaLocker seeks out and terminates a flew of processes in an attempt to both sideline security programs and ensure all data files are closed and ready for encryption. Moreover, it takes steps to frustrate possible remediation and recovery efforts by erasing Shadow Volume copies, removing back-ups and disabling the Windows automatic startup repair.
Following the encryption, the ransomware sleeps for a minute before scanning for additional files to encrypt and creates persistence by setting a scheduled tasks that re-launches the program every half hour.
MedusaLocker’s ransom note contains a pair of email addresses containing instructions for making the ransom payment.
The attackers also attempt to intimidate victims by telling them they will permanently lose their data if they attempt to change their files, or use decryptors, third-party data recovery software or anti-virus solutions. They also urge victims to act quickly, before the attackers’ email addresses are blocked and there is no longer a way to communicate with them.