22.9 C
New York

FBI and CISA warn: This ransomware is using RDP flaws to break into networks

Published:


shutterstock-1173443506.jpg

Image: Shutterstock / Marjan Apostolovic

Several US legislation enforcement companies have shone a highlight on MedusaLocker, one ransomware gang that received busy within the pandemic by hitting healthcare organizations. 

MedusaLocker emerged in 2019 and has been an issue ever since, ramping up exercise through the early phases of the pandemic to maximize earnings. 

While Medusa is as we speak not as prolific as Conti and Lockbit RaaS networks, MedusaLocker induced its justifiable share of bother, being one in all a number of threats that led to Microsoft’s warning to healthcare operators to patch VPN endpoints and configure Remote Desktop Protocol (RDP) securely

SEE: Ransomware attacks: This is the data that cyber criminals really want to steal

In the primary quarter of 2020, MedusaLocker was one of many prime ransomware payloads together with RobbinHood, Maze, PonyFinal, Valet loader, REvil, RagnarLocker, and LockBit, according to Microsoft.  

As of May 2022, Medusa has been noticed predominantly exploiting susceptible RDP configurations to entry victims’ networks, according to a new joint Cybersecurity Advisory (CSA) from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network (FinCEN). 

The advisory is a part of CISA’s #StopRansomware collection of resources about ransomware

“MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments,” the CSA notes. 

RaaS fashions contain the mixed efforts of ransomware developer and varied associates, such as access brokers that gain initial access and other actors that deploy the ransomware on sufferer methods. 

“MedusaLocker ransomware payments appear to be consistently split between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the remainder,” the CSA notes. 

At a technical stage, after MedusaLocker actors have gained preliminary entry, MedusaLocker deploys a PowerShell script to propagate the ransomware all through the community by modifying the machine’s registry to detect connected hosts and networks, and using the SMB file-sharing protocol to detect connected storage. 

MedusaLocker attackers place a ransom observe into each folder containing a file with the sufferer’s encrypted information, in accordance to the CSA.  

MedusaLocker’s key actions after spreading throughout a community embrace: 

  • Restarts the LanmanWorkstation service, which permits registry edits to take impact
  • Kills the processes of well-known safety, accounting, and forensic software program
  • Restarts the machine in protected mode to keep away from detection by safety software program
  • Encrypts sufferer recordsdata with the AES-256 encryption algorithm; the ensuing key is then encrypted with an RSA-2048 public key 
  • Runs each 60 seconds, encrypting all recordsdata besides these crucial to the performance of the sufferer’s machine and people who have the designated encrypted file extension
  • Establishes persistence by scheduling a job to run the ransomware each quarter-hour. 
  • Attempts to stop customary restoration methods by deleting native backups, disabling startup restoration choices, and deleting shadow copies

These assaults may be protected in opposition to. Mitigations beneficial by the companies embrace:

  • Implement a restoration plan that maintains and retains a number of copies of delicate or proprietary information and servers in a bodily separate, segmented, and safe location 
  • Implement community segmentation and keep offline backups of information 
  • Regularly backup information and password defend backup copies saved offline. Ensure copies of crucial information will not be accessible for modification or deletion from the system 

Denial of responsibility! - If you are a regular visitor then ignore this...
Read Full Details



“If you’ve got any Query Related This Post then right here is the Source Link

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related articles

Recent articles