9.4 C
New York
Wednesday, January 10, 2024

An In-Depth Technical Evaluation and Prevention Methods

Our current analysis has highlighted the presence of the MedusaLocker ransomware, which first surfaced in mid-2019. Its major targets are the Hospital and Healthcare industries. MedusaLocker employs AES and RSA encryption strategies to encrypt victims’ knowledge.

Technical Evaluation

At the beginning, it performs a test for the presence of a Mutex. If the Mutex doesn’t exist, it proceeds to create the Mutex utilizing the CreateMutexW() perform, as proven within the beneath fig:

Creating the Mutex

MedusaLocker checks to find out whether or not the present course of runs with administrative privileges. If it detects that the method lacks admin privileges, it employs a Person Account Management (UAC) bypass approach to realize elevated privileges.

Elevating Administrator Privelege

UAC Bypass

It provides the registry key HKEY_CURRENT_USERSOFTWAREMDSLK with the title “self” and knowledge as the applying title, designating the system being contaminated by MDuSaLocker.

Registry Entry

Disables the Providers and Terminates the Processes:

Like different ransomware, MedusaLocker additionally terminates particular companies by referencing a hardcoded checklist of companies. It compares this checklist with the presently working companies, and if any of the hardcoded companies are discovered to be working, it stops them utilizing the CloseServiceHandle(), as proven within the beneath fig:

Disables the Operating House

Record of Hardcoded companies:

wrapper, DefWatch, ccEvtMgr, ccSetMgr, SavRoam, sqlservr, sqlagent, sqladhlp, Culserver, RTVscan, sqlbrowser, SQLADHLP, QBIDPService, Intuit.QuickBooks.FCS, QBCFMonitorService, sqlwriter, msmdsrv, tomcat6, zhudongfangyu, SQLADHLP, vmware-usbarbitator64, vmware-converter, dbsrv12, dbeng8

Ransomware makes use of CreateToolhelp32Snapshot() to retrieve the working processes. It compares with a predefined checklist of hardcoded processes. If any of the hardcoded processes are detected as working, the ransomware proceeds to terminate these processes utilizing the TerminateProcess, as proven within the beneath fig:

Terminating the Operating Course of

Record of Hardcoded Course of:

wxServer.exe, wxServerView, sqlservr.exe, sqlmangr.exe, RAgui.exe, supervise.exe, Tradition.exe, RTVscan.exe, Defwatch.exe, sqlbrowser.exe, winword.exe, QBW32.exe, QBDBMgr.exe, qbupdate.exe, QBCFMonitorService.exe, axlbridge.exe, QBIDPService.exe, httpd.exe, fdlauncher.exe, MsDtSrvr.exe, tomcat6.exe, java.exe, 360se.exe, 360doctor.exe, wdswfsafe.exe, fdlauncher.exe, fdhost.exe, GDscan.exe, ZhuDongFangYu.exe

Deleting Shadow Copy and Disabling Knowledge Restoration:

MedusaLocker makes use of hardcoded instructions to take away backups, delete the shadow copy, and so on.

Hardcoded Instructions


Medusa Locker ransomware duplicates its malicious executable as both “svhost.exe” or “svchostt.exe” inside the consumer’s roaming utility knowledge listing (%AppDatapercentRoaming) to determine persistence and make sure the malware runs throughout system start-up, permitting it to proceed encrypting information.

Persistence Mechanism


Within the encryption course of like different ransomware, it additionally excludes the checklist of information, folders, and hardcoded extensions from the encryption course of.

The ransomware makes use of each AES+RSA encryption keys. The ransomware employs AES 256 encryption to lock the sufferer’s information, creating a novel AES encryption key. This AES secret is then encrypted utilizing an embedded RSA public key, ensuing within the ciphertext. The RSA encryption ensures that with out the corresponding personal key, decryption of the AES secret is virtually inconceivable.

The AES secret is important for unlocking the sufferer’s information, making entry contingent on acquiring the personal key from the attackers.


Iteration of Drive

The ransomware tries to retrieve the logical drives utilizing the API name GetLogicalDrives to encrypt the system.

Calling Encryption Operate

It drops the Ransom notice in an HTML file which comprises the non-public ID, Tor hyperlink, and emails of attackers.

Ransom Word Dropped by Medusa Ransomware

Encrypted Recordsdata with Extension “L54”

Community An infection:

Community Enumeration

After Encryption, the ransomware makes use of Home windows Community API NetShareEnum to enumerate community share. It processes share names, performs string manipulations, and checks for the presence of “$” in share names.

It seeks to unfold to different gadgets on the identical community, making an attempt to contaminate them like a digital contagion.

How can we forestall such sorts of assaults?

· Don’t obtain and open any attachments from unknown sources.

· Keep away from clicking on any unverified hyperlink. The main reason for ransomware assaults is clicking on untrusted hyperlinks and attachments.

· Frequently replace your working system, functions, and software program to repair recognized vulnerabilities, usually exploited by ransomware.

· Again up your knowledge in order that it may be recovered in case of a ransomware assault.


Medusa Locker ransomware is a infamous pressure of malicious software program that encrypts victims’ information, rendering them inaccessible till a ransom is paid. This harmful malware has prompted widespread injury to people and organizations alike. As cybercriminals regularly evolve their techniques, the specter of Medusa Locker stays ever-present.

Fast Heal Safety:

· Generic Signature names:

· Ransom.Medusa.S27286013

· Ransom.Medusa.S13913779

· Ransom.MedusaLock.S9836707

· Trojan.YakbeexMSIL.ZZ4

· Ransom.Medusa.S10272352






Writer – Soumen Burma

Co-Writer – Vaibhav Krushna Billade



Soumen burma

Supply hyperlink

Related Articles


Please enter your comment!
Please enter your name here

Latest Articles