Threat Management, Malware, Ransomware

New MedusaLocker ransomware looks to make a monster profit

The newly discovered ransomware called MedusaLocker won't exactly turn your computer to stone, but it might as well, considering your files will be just as useless.

Researchers from MalwareHunterTeam first took note of the threat in late September, when the ransomware started racking up its first known victims. (The company acknowledges the ransomware in a tweet here.)

According to an Oct. 22 report from BleepingComputer, the ransomware uses a combination of AES and RSA-2048 to encrypt file with the extensions .exe, .dll, .sys, .ini, .lnk, .rdp, .encrypted and other extensions used for encrypted files. It also encrypts files found in multiple folders, including USERPROFILE, PROGRAMFILES (x86), programData, AppData, WINDIR, Application Data and Program Files.

Depending on the variant, the ransom appends the affected files with one of several extensions, including the TV and movie-themed .breakingbad and .skynet.

MedusaLocker performs a number of startup routines that prep infected computers for encryption. "It will create the Registry value EnableLinkedConnections under the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem registry key and set it to 1. This is done to make sure mapped drives are accessible even in a UAC launched process," explains BleepingComputer owner Lawrence Abrams in the report. "It will also restart the LanmanWorkstation server in order to make sure that Windows networking is running and that mapped network drives are accessible."

Next, MedusaLocker seeks out and terminates a flew of processes in an attempt to both sideline security programs and ensure all data files are closed and ready for encryption. Moreover, it takes steps to frustrate possible remediation and recovery efforts by erasing Shadow Volume copies, removing back-ups and disabling the Windows automatic startup repair.

Following the encryption, the ransomware sleeps for a minute before scanning for additional files to encrypt and creates persistence by setting a scheduled tasks that re-launches the program every half hour.

MedusaLocker's ransom note contains a pair of email addresses containing instructions for making the ransom payment.

The attackers also attempt to intimidate victims by telling them they will permanently lose their data if they attempt to change their files, or use decryptors, third-party data recovery software or anti-virus solutions. They also urge victims to act quickly, before the attackers' email addresses are blocked and there is no longer a way to communicate with them.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.