New MedusaLocker Ransomware Variant Deployed by Threat Actor

Security

A financially-motivated threat actor has been observed targeting organizations globally with a MedusaLocker ransomware variant, according to an analysis by Cisco Talos.

The variant, known as “BabyLockerKZ,” has been around since at least late 2023, and this is the first time it has been specifically called out as a MedusaLocker variant.

This variant uses the same chat and leak site URLs as the original MedusaLocker ransomware. However, it uses a different autorun key or an extra public and private key set stored in the registry.

Threat Actor Characteristics

The attacker has been active since at least 2022, initially focusing on targets in European countries such as France, Germany, Spain and Italy.

Since the second quarter of 2023, it has shifted its focus towards South American countries such as Brazil, Mexico, Argentina and Colombia, resulting in the volume of victims per month almost doubling.

Attacks kept a steady volume of around 200 unique IPs compromised per month until the first quarter of 2024, when attacks decreased.

The threat actor is believed to either be working as an initial access broker or an affiliate of a ransomware cartel.

Cisco assessed with medium confidence that it is financially motivated.

Tactics, Techniques and Procedures

Cisco Talos said the group uses several publicly known attack tools and living-off-the-land binaries to enable credential theft and lateral movement in compromised organizations.

These tools are mostly wrappers around publicly available tools that include additional functionality to streamline the attack process and provide graphical or command-line interfaces.

Among the publicly known tools used by the attacker are HRSword_v5.0.1.1.rar, used to disable AV and EDR software and Advanced_Port_Scanner_2.5.3869.exe, a network-scanning tool with several additional features to map internal networks and devices.

Additionally, the threat actor utilizes some tools that are not widely distributed that streamline the attack process by automating the interaction between popular attack tools.

One of these tools, called “Checker,” is an app that bundles several other freely available apps and provides a GUI for management of credentials as the attackers proceed with lateral movement.

These tools contain a PDB path including the word “paid_memes,” which is compiled with BabyLockerKZ.

The attackers frequently used the Music, Pictures or Documents user folders of compromised systems to store attack tools.

Products You May Like

Articles You May Like

Italy’s Data Protection Watchdog Issues €15m Fine to OpenAI Over ChatGPT Probe
Thousands Download Malicious npm Libraries Impersonating Legitimate Tools
Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware
US Organizations Still Using Kaspersky Products Despite Ban
CISA and EPA Warn of Cyber Risks to Water System Interfaces

Leave a Reply

Your email address will not be published. Required fields are marked *