Overview
MedusaLocker has been using new techniques and tactics of ransomware by targeting any unpatched VPNs for initial access. This is done using the scheduled task “svhost” to encrypt machines and injecting into system processes such as spoolsv.exe and svchost.exe. Commands are run and controls to parts 80, 445, and 2222. MedusaLocker has also been found using TeleLinkSoftHelper’s Employee Monitoring software, and the Pictures and Videos folders on a computer to stage malicious including Nmap, Mimikatz, Netscan, Netpass, and more.
Indicators of Compromise (IoCs) include 64.190.63[.]111 and 194.165.17[.]15.
Ways to mitigate MedusaLocker include ensuring any VPN appliances are fully patched, blocking the IoC Ips above in your firewall, implementing least privilege for local and domain users, auditing current users to confirm admin rights have not been given to nonrequired users, blocking the listed file names in your antivirus (AV)/EDR solution, adopting MFA for users connecting through VPN, and auditing and removing legacy or unneeded users that have access to VPN. (Blackpoint Cyber Cyber Threat Notice, personal communication, January 23, 2023)
Sources
https://www.cisa.gov/uscert/ncas/alerts/aa22-181a