HC3: Analyst Note TLP Clear MedusaLocker Ransomware – February 24 2023

Executive Summary

Ransomware variants used to target the healthcare sector, from relatively well-known cyber threat groups, continue to be a source of concern and attention. (See HC3 reports on Royal Ransomware and Clop Ransomware). Likewise, the threat from lesser known but potent ransomware variants, such as the MedusaLocker, should also be a source of concern and attention by healthcare security decision makers and defenders.

Report

The MedusaLocker ransomware was first detected back in September of 2019. Since then, MedusaLocker has infected and encrypted systems across multiple sectors, with primary targeting of the healthcare sector. During 2019, Medusa Locker leveraged the disorder and confusion surrounding the COVID-19 pandemic to launch attacks. MedusaLocker appears to operate as Ransomware-as-a-Service (RaaS) model, in which the developer of the MedusaLocker shares the ransomware with other threat actors in return for a share of the ransom payment. Based on the observed split noted in a June 2022 Advisory on the MedusaLocker by United States federal law enforcement agencies, including the Federal Bureau of Investigation (FBI), MedusaLocker ransomware payments appear to be consistently split between the affiliates who receive a share of the ransom. The affiliates receive approximately 55-60 percent per the time of the Advisory, and the developer receives the remainder.

Initially, threat actors behind the ransomware relied on phishing and spam email campaigns to compromise targets. As of 2022, Remote Desktop Protocol (RDP) vulnerabilities are the preferred Tactics, Techniques, and Procedures (TTP) to gain access to targeted networks by cyber criminals behind the ransomware. Moreover, MedusaLocker threat actors may still gain entry into networks via phishing campaigns in which the malware is attached to emails.

View the detailed report below.