Recently, the Cybersecurity and Infrastructure Security Agency (CISA), The Federal Bureau of Investigation (FBI), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) issued alerts for MedusaLocker and RagnarLocker ransomware families. This is yet another mile market in the ransomware trends we’ve seen in 2021 and 2022. Ransomware attacks continue to surge, aided by new business models such as Ransomware-as-a-Service (RaaS) gangs and a proliferation of improved variants. So far, the wind is behind the backs of the ransomware threat actors.
MedusaLocker is an expansive ransomware family which was first discovered in 2019. Over the past few years, it has continued to spawn variants in an effort to improve its capabilities. MedusaLocker has three capabilities that are more unique than not. This includes an ability to encrypt the contents of mapped network drives, the manipulation of windows to remap network drives so that the content on these drives can be encrypted, and the use of ICMP sweeping to profile the network to help optimize their chances of extorting a ransom payment. As you may recall, an ICMP sweep, also known as a ping sweep, is a network scanning technique. ICMP sweeping is used to identify which range of IP addresses map to live host computers.
MedusaLocker continues to be distributed primarily via spam email and phishing. In many cases, the malware is packaged as an attachment to email and sometimes as a link to a malicious website. MedusaLocker has shown considerable capabilities to shut down security controls, such as those from Symantec, that might slow it down. The threat actors behind MedusaLocker exhibit flexible ransom pricing behavior.
Source: Ransomware.org 2022 Ransomware Survey
MedusaLocker uses strong AES-256 encryption to encrypt files and encrypts the AES key using an RSA-2048 public key. MedusaLocker targets files for encryption using a list of appended extensions for encrypted files. Any file found without these extensions are considered fair game to be encrypted. MedusaLocker runs periodically, seeking to identify additional files to encrypt.
RagnarLocker first came to light in early 2020 and has continually targeted critical infrastructure sectors since then, with the FBI reporting 50+ infrastructure-related attacks during that time across government, financial services, manufacturing, information technology, and energy. RagnarLocker had its “15 minutes of fame” in an attack on Capcom, a leading video gaming company. (Capcom was a major target — they are known for some of the most popular games, including Street Fighter.) This breach, discovered in 2021, resulted in the exfiltration of shareholder and employee data, and more, and encrypted over 1 terabyte of data. RagnarLocker is also known for successful high-profile ransom attacks on Dassault Aviation, Campari Group, and Energias de Portugal.
RagnarLocker targets files to encrypt by first deciding which files not to encrypt. This helps RagnarLocker stay hidden — the computer will continue to operate in a reasonably normal fashion while the RagnarLocker ransomware continues to encrypt files.
This Trend is Not Your Friend
There are numerous mitigations for RagnarLocker and MedusaLocker, including implementing a recovery plan, enforcing MFA, patching, disabling unused remote access methods, and the other usual suspects. But at the end of the day, organizations of all types and sizes need to step up their game to defend against these dangerous ransomware families and similar emerging threats. It’s a race against time: The threat actors who build ransomware continue to improve their code, add functionality, harden their defenses, and spin off new variants–and automated/reactive tools alone are no protection against this “firehose” of emerging threats.
For these reasons, make it your top priority to:
- Implement proactive, crowdsourced security solutions to get hundreds, or even thousands, of friendly eyes on your attack surface. Only crowdsourcing gives you access to skills, tools, and mindsets that can help uncover hidden ransomware risk before it bites you, and only the Bugcrowd Security Knowledge Platform helps you do that at scale through a SaaS-based, data-driven approach.
- Social engineering awareness and prevention training can yield excellent results. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities, such as ransomware and phishing scams.
Want to learn more about ransomware and proactive methods for battling it? Read our Ultimate Guide to Managing Ransomware Risk.