MedusaLocker Ransomware: Identification And Detection In a Live Environment

Praveen Yeleswarapu
January 20, 2022


Security systems are up and running at a leading pharma company, with each event being recorded and reported as it occurs. However, a regular workday becomes more eventful as several login attempts from external IPs are reported to fail. The system denied login requests to these users due to failed user authentication. 

Further, the system reports several random usernames and default accounts attempting, though failing, to login into the system. One particular user had raised several red flags with an unusually high number of Critical and High-Level alerts triggered on the host. 

Within a short span of 48 hours, the system was continuously attacked and a large number of RDP (remote desktop protocol) connection attempts were made. This indicated that the threat actors were attempting a brute force attack on the system. 

The event was identified as a MedusaLocker Ransomware attack. MedusaLocker is malicious software that is used to encrypt files and prevent access until the ransom is paid. The files can only be decrypted by software that is purchased from the attacker. Further, as long as the encryption lasts, all files targeted within the system are renamed with the “.encrypted” extension. 

The data collected by the cybersecurity system indicated that the attacker was using the “admin” user account to make several executions within the system. Through privilege escalation the attacker used administrative rights to identify vulnerable machines in order to comprise them. 

The attacker used access to the victim machine to execute several commands to identified systems (dst_ip_addr). It was also noted that attackers were legitimate windows processes to perform lateral movement and further their attacks without being detected by the system. These processes among others were all recorded by the security system as indicators of compromise (IOCs) to help security teams counter the problem. 

Understanding the potential damage

Brute force attacks and the use of ransomware are increasingly on the rise. Such software can permanently lock and destroy critical data. Further, MedusaLocker clears shadow volume copies of files, rendering backups ineffective. The result is severe data loss with little scope for recovery. 

The pharmaceuticals industry relies on critical data on patients, patents, logs, inventory, and stages of developments, along with results of several trials and experiments. When such an attack is executed, critical servers at the organization can be infected preventing data access. Resulting in critical business data loss. 

MeduLocker - Ransomware

MedusaLocker is malicious software, which is classified as ransomware. It operates by encrypting files and keeping them inaccessible until a ransom is paid and the decryption software/tool is purchased. During the encryption process, all files are renamed with the ".encrypted" extension.

The investigation

Below are the preliminary findings Observed during the investigation.

High number of failed logins from external IPs and other activity related to BruteForcing, Privilege escalations, Disk Encryption and lateral movement were noticed. The attacker potentially used legitimate windows applications to carry out the attack.

Top alerts :

  • Below are the alerts observed during the time period of 20th of October 2021 to 22nd of October 2021. We observed that multiple Critical and High Level alerts had been triggered on the host in question. Hence, there is more likelihood of this host directly compromised.

  • Multiple failed logins on the system using random usernames and default accounts were observed.

MedusaLocker-Top User failed Login Attempts

MedusaLocker - Failed Logon Types

  • Within the short duration of 48 hours, there were an enormous number of RDP connection attempts from Public IP addresses. Therefore, it can be interpreted that this system had been under constant attack.

MedusaLocker - RDP Requests From Public IP

MedusaLocker - Top Countries PIE

  • From the data collected, we noticed the below executions by the attacker using the “admin” user account which had local administrative rights. These tools were used for identifying potential victim machines that could be compromised. 

  • We noticed the below remote execution from the victim machine to the below identified systems (dst_ip_addr). This is shown below along with the executed commands.

Dashboard panel: MedusaLocker - Lateral Movement Internal Subnet

  • Below is the identified execution flow of the attacker on this system. 

MedusaLocker Process Execution Flow 3

  • Here are the related IOCs, including legitimate Windows programs used during the attack. Attackers often rely on legitimate windows processes to execute and further their attacks without detection.

MedusaLocker - List Of processes Involved in Execution

Understanding the needs of the organization

Organizations, especially those operating in the sectors such as pharmaceuticals which rely on the data for the bulk of their operations, need to understand the importance of data insights and response. Further, it becomes extremely critical for companies to deploy solutions that are able to detect the most subtle of moves within a system, even when executed through legitimate software. 

Key considerations for the Pharma sector

Companies from the pharma sector need to bear the following considerations in mind when building their cybersecurity infrastructure: 

  • The system needs to be protected with the help of a proactive tool that is able to respond to threats as they are attempting to breach.
  • The influx of data alone cannot conquer an attack. The teams must remain vigilant and prepared to act on the data collected and presented by the tool. 
  • Companies that deal with large amounts of data and are at risk of attacks, must consider a cybersecurity services provider to help them develop and operate their Security Operations Center (SOC).

Key outcomes with BluSapphire Elite

The organization was able to leverage BluSapphire Elite’s capabilities for the following:

Data convergence

Since the solution provided a single-pane view of all the data that was collected throughout the system, the security team was able to view each event, the chronology, and the outcomes in a comprehensive manner. This allowed the organization to identify vulnerabilities and decide on future courses of action for such attacks. 

Faster detection

BluSapphire Elite was able to detect and report malicious activity in real-time. This allowed security teams to get information about the attack as soon as the attackers attempted to break into the system. 

Further, Elite was able to detect activity being conducted using legitimate processes within the system. Such moves are generally made to avoid detection by the cybersecurity tool, however, with the BluSapphire Elite, the security team was able to view how the attackers used legitimate software to further their attack. 

Proactive threat hunting

BluSapphire Elite helped the organization actively look for threats to the system. The tool recorded each failed login attempt and reported suspicious user behavior. The tool also reported the illegal use of administrative rights since it was constantly on the lookout for any anomalies within the system. 

For details, please take a look at the BluSapphire Elite solution page.