As of Might 2022, MedusaLocker has been noticed predominantly exploiting weak Distant Desktop Protocol (RDP) configurations to entry victims’ networks, in line with a brand new joint Cybersecurity Advisory (CSA) from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Safety Company (CISA), and different regulation enforcement businesses.
The advisory is a part of CISA’s #StopRansomware assortment of sources about ransomware. “MedusaLocker seems to function as a Ransomware-as-a-Service (RaaS) mannequin primarily based on the noticed break up of ransom funds,” the CSA notes.
Technical Element Abstract:
This ransomware pressure makes use of a batch file to execute a PowerShell script which propagates MedusaLocker all through the community by enhancing the EnableLinkedConnections worth throughout the contaminated machine’s registry, which then permits the contaminated machine to detect connected hosts and networks through Web Management Message Protocol (ICMP) and to detect shared storage through Server Message Block (SMB) Protocol.
Observe that this new Cybersecurity Advisory has a top-right Motion Field with recommendations it’s good to take ASAP to mitigate this menace. Their second bullet is: Prepare customers to acknowledge and report phishing makes an attempt.
Seize your free Phish Alert Button and prepare your customers as quickly as you may. Here’s a hyperlink to the total Cybersecurity Advisory which has a PDF, full Indicators of Compromise (IoC) and urged mitigations
https://www.cisa.gov/uscert/ncas/alerts/aa22-181a
Â
