• Vulnerable U
  • Posts
  • New MedusaLocker Variant Turning Networks to Stone

New MedusaLocker Variant Turning Networks to Stone

Author

Newsroom
October 07, 2024

A newly identified attack group that has been working for about two years has been seen using a relatively unknown variant of the MedusaLocker ransomware on a large number of victim networks in Europe and South America, and researchers believe the group is likely a financially motivated crew that may be working as an initial-access broker or affiliate of an existing ransomware team. 

Why It Matters: Ransomware groups and small affiliate organizations come and go constantly and few of them actually have any real effect. But this newly observed entity has been highly active since 2022, consistently hitting about 200 organizations per month while deploying a MedusaLocker variant known as BabyLockerKZ. Cisco Talos researchers say the group has focused its attention mainly on France, Germany, Spain, Italy, Brazil, and Mexico, with some victims in the United State and other countries, as well. 

Key Details

  • The unnamed threat actor has been in the game since at least 2022, but only recently began deploying the BabyLockerKZ ransomware. 

  • The group uses a handful of publicly available tools such as Mimikatz and Processhacker in its operations and often stores those tools in the same locations on compromised machines, including user folders such as Documents, Music, or Pictures. 

  • The attackers also employ some less-common tools, including one that Talos refers to as Checker that is essentially a collection of other apps, but it also includes a GUI to simplify the process of lateral movement after the initial compromise. 

The BabyLockerKZ ransomware is a variant of MedusaLocker and it first came to researchers’ attention last year. It’s quite similar to the main MedusaLocker ransomware, with the main differences being the existence of a BabyLockerKZ run key and public and private registry keys named PAIDMEMES. BabyLockerKZ also uses the same leak and chat sites as the main MedusaLocker ransomware. 

Actors who deploy MedusaLocker often rely on exploiting known vulnerabilities in RDP for initial access and in many cases use phishing or spam as their main tactics. MedusaLocker is one of the many ransomware-as-as-service operations causing trouble at the moment, and its affiliates have been known to be pretty indiscriminate in what kind of organizations they target. The fact that this newly identified actor is using both publicly available tools and less well-known ones, as well as the relatively high volume of compromises, indicates that the group has some level of professionalism and access to technical resources.

Further Reading: