Healthcare Organizations Warned About MedusaLocker Ransomware Attacks
The healthcare and public health (HPH) sector has been warned about cyberattacks involving MedusaLocker ransomware – one of the lesser-known ransomware variants used in cyberattacks on the sector. The HPH sector has been extensively targeted by prolific ransomware groups using ransomware variants such as Clop, Royal, and BlackCat, but attacks involving these lesser-known variants can be just as damaging.
The threat actor behind MedusaLocker is believed to run a ransomware-a-service operation, where affiliates are recruited by the group to conduct attacks for a cut of any profits they generate, which is believed to be around 55%-60% of the ransom payment for MedusaLocker ransomware affiliates. The ransomware variant was first detected in September 2019 and the group is thought to primarily target the HPH sector. Since 2019, the majority of attacks have used phishing and spam emails with malicious attachments as the initial access vector. When the attachments are opened, a connection is made to the command-and-control server, and a script and the ransomware payload are downloaded. Propagation is believed to occur via WMI.
In 2022, the group started to leverage vulnerabilities in Remote Desktop Protocol, and this now appears to be the preferred initial access vector. The group exploits vulnerable RDP services and compromises legitimate RDP accounts using brute force tactics to guess weak passwords. After gaining access to victims’ networks, the group establishes persistence through registry entries, escalates privileges, moves laterally, exfiltrates data, then deploys the ransomware. MedusaLocker ransomware uses a hybrid encryption approach, first encrypting files with an AES-256 symmetric encryption algorithm, then encrypting the secret key with RSA-2048 public-key encryption. Backup copies of encrypted files are deleted to prevent recovery without paying the ransom. While the group behind MedusaLocker has a network of Russian hosts for conducting attacks, the group also leverages U.S. infrastructure, including using the compromised infrastructure of data centers and U.S. universities as redirects to obfuscate their attacks.
The Health Sector Cybersecurity Coordination Center (HC3) explained some of the known tactics, techniques, and procedures used by the group and suggests several mitigation measures. Since the group now favors RDP compromise, it is important to ensure that RDP instances have multiple levels of access and authentication controls. HC3 recommends monitoring RDP utilization, flagging and investigating first-time-seen and anomalous behavior such as failed login attempts, and implementing a robust account lockout policy to defend against brute force attacks.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
RDP should never be exposed to the Internet, the patching of RDP vulnerabilities should be prioritized, strong passwords should be set, multi-factor authentication implemented on accounts, and if remote users need to access the corporate network via RDP, a VPN should be used. HC3 also recommends restricting access to the Remote Desktop port to trusted IP addresses and changing the default RDP port from 3389 to another port. To protect against phishing attacks, healthcare organizations should consider disabling hyperlinks in emails and adding a banner to all emails that have been received from an external email address.
You can view the HC3 MedusaLocker Ransomware Analyst Note on this link (PDF)
