Backed by Russia, the MedusaLocker ransomware group has bolstered its arsenal with brute force tactics that exploit weak access controls on remote desktop protocol services to force their way into a network, according to the U.S. Department of Health and Human Services.
The latest alert published by HHS' Cybersecurity Coordination Center (HC3) urges healthcare entities to “holistically require” multiple levels of access and authentication controls to better defend against a MedusaLocker campaign that is currently using known software vulnerabilities to target unsecured RDP servers and desktops.
The warning adds to a host of ransomware-related alerts directed at healthcare entities over growing concerns about the current threat landscape. The threat from “lesser-known but potent ransomware variants” like MedusaLocker, should “be a source of concern and attention by healthcare security decision makers.”
MedusaLocker has been active for over three years, exploiting networks across a range of sectors. However, healthcare has remained its primary target, largely driven by the industry's COVID-19 response and that seek to exploit the disorder and confusion of the pandemic for profit.
The group operates as a Ransomware-as-a-Service (RaaS) model, sharing its variant with other threat actors for a share of the ransom payment. As of June 2022, affiliates receive about 55% to 60% of ransoms and the developer takes the rest.
Its early tactics relied heavily on phishing and email spam campaigns, but lately have shifted in preference to exploiting RDP flaws over the last year. However, the group continues to leverage phishing attacks with malware-laced attachments to gain a foothold onto the network.
Known access techniques also include brute-force password guessing against RDP services and exploiting vulnerable RDP services. The alert warns that “if the guessed password belongs to the domain administrator, they can execute commands with elevated privileges.”
Upon exploitation, MedusaLocker spreads across the network from a batch file that deploys a PowerShell script, before disabling security and forensic software and restarting the infected device to evade detection. The ransomware payload is initiated after restart, encrypting files with an AES-256 encryption algorithm.
The actors persist on the network by “deleting local backups and disabling start-up recovery to ultimately place a ransom note into every folder containing a file with compromised host’s encrypted data,” according to HC3.
Researchers have also observed MedusaLocker creating a scheduled task called "svhost" that runs the ransomware automatically every 15 minutes.
The threat analysis details each tactic in depth for security leaders to review and make recommended changes. Specifically, RDP should never be open to the internet and IT leaders should ensure the default port of all RDP instances have been changed from 3389 to another.
Further, entities should use multiple levels of access and authentication controls, monitor RDP utilization and flag first-time-seen and anomalous behavior with a keen focus on failed login attempts. Account lockout policies can be crucial to defending against brute force attacks, while prioritizing patching of known RDP vulnerabilities.
As SC Media has extensively reported, nation-state threat actors have set their sights on critical infrastructure entities like healthcare in recent months. These attacks include ransomware like MedusaLocker and Clop but also DDoS attacks that could impact care operations.
