SYMBOLCOMMON_NAMEaka. SYNONYMS
win.medusalocker (Back to overview)

MedusaLocker

aka: AKO Ransomware, AKO Doxware, MedusaReborn

A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids executable files, probably to avoid rendering the targeted system unusable for paying the ransom. It uses a combination of AES and RSA-2048, and reportedly appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.

References
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim Ransomware REvil Ryuk Zeus
2020-11-19CybereasonTom Fakterman, Assaf Dahan
@online{fakterman:20201119:cybereason:da3ab54, author = {Tom Fakterman and Assaf Dahan}, title = {{Cybereason vs. MedusaLocker Ransomware}}, date = {2020-11-19}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/medusalocker-ransomware}, language = {English}, urldate = {2020-11-23} } Cybereason vs. MedusaLocker Ransomware
MedusaLocker
2020-10-06CrowdStrikeThe Crowdstrike Intel Team
@online{team:20201006:double:bb0f240, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 2}}, date = {2020-10-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/}, language = {English}, urldate = {2020-10-12} } Double Trouble: Ransomware with Data Leak Extortion, Part 2
Maze MedusaLocker REvil
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker
2020-06-03VMWare Carbon BlackBrian Baskin
@online{baskin:20200603:medusa:8d92754, author = {Brian Baskin}, title = {{Medusa Locker Ransomware}}, date = {2020-06-03}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/}, language = {English}, urldate = {2020-06-04} } Medusa Locker Ransomware
MedusaLocker
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise Ransomware RagnarLocker REvil RobinHood
2020-04-23Cisco TalosEdmund Brumaghin, Amit Raut
@online{brumaghin:20200423:threat:4f7f840, author = {Edmund Brumaghin and Amit Raut}, title = {{Threat Spotlight: MedusaLocker}}, date = {2020-04-23}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/04/medusalocker.html}, language = {English}, urldate = {2020-04-26} } Threat Spotlight: MedusaLocker
MedusaLocker
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos Ransomware REvil Ryuk SamSam Scarab Ransomware
2020-01-09ID RansomwareAndrew Ivanov
@online{ivanov:20200109:ako:79016d7, author = {Andrew Ivanov}, title = {{Ako, MedusaReborn}}, date = {2020-01-09}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html}, language = {English}, urldate = {2020-05-18} } Ako, MedusaReborn
MedusaLocker
2020-01-09Twitter (@siri_urz)Twitter (@siri_urz)
@online{siriurz:20200109:ako:da2a708, author = {Twitter (@siri_urz)}, title = {{Tweet on AKO Ransomware}}, date = {2020-01-09}, organization = {Twitter (@siri_urz)}, url = {https://twitter.com/siri_urz/status/1215194488714346496?s=20}, language = {English}, urldate = {2020-05-18} } Tweet on AKO Ransomware
MedusaLocker
2020BlackberryBlackberry Research
@techreport{research:2020:state:e5941af, author = {Blackberry Research}, title = {{State of Ransomware}}, date = {2020}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf}, language = {English}, urldate = {2021-01-01} } State of Ransomware
Maze MedusaLocker Nefilim Ransomware Phobos Ransomware REvil Ryuk STOP Ransomware Zeppelin Ransomware
2019-11-05Dissecting MalwareMarius Genheimer
@online{genheimer:20191105:try:3aafee6, author = {Marius Genheimer}, title = {{Try not to stare - MedusaLocker at a glance}}, date = {2019-11-05}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html}, language = {English}, urldate = {2020-03-27} } Try not to stare - MedusaLocker at a glance
MedusaLocker
2019-10-15Andrew Ivanov
@online{ivanov:20191015:medusalocker:132bb68, author = {Andrew Ivanov}, title = {{MedusaLocker Ransomware}}, date = {2019-10-15}, url = {http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html}, language = {English}, urldate = {2020-01-07} } MedusaLocker Ransomware
MedusaLocker
Yara Rules
[TLP:WHITE] win_medusalocker_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_medusalocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83ec2c 8bf4 8965ec 8b4d08 51 e8???????? 83c404 }
            // n = 7, score = 400
            //   83ec2c               | sub                 esp, 0x2c
            //   8bf4                 | mov                 esi, esp
            //   8965ec               | mov                 dword ptr [ebp - 0x14], esp
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_1 = { 55 8bec 51 894dfc 837d0800 7408 }
            // n = 6, score = 400
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   7408                 | je                  0xa

        $sequence_2 = { e8???????? 83c404 50 8b4d08 e8???????? 8d4dd8 e8???????? }
            // n = 7, score = 400
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   50                   | push                eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     

        $sequence_3 = { 8955d8 c645fc01 8b45e0 8b4dd8 }
            // n = 4, score = 400
            //   8955d8               | mov                 dword ptr [ebp - 0x28], edx
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   8b4dd8               | mov                 ecx, dword ptr [ebp - 0x28]

        $sequence_4 = { 33c5 50 8d45f4 64a300000000 894de8 c745ec00000000 8b4de8 }
            // n = 7, score = 400
            //   33c5                 | xor                 eax, ebp
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   894de8               | mov                 dword ptr [ebp - 0x18], ecx
            //   c745ec00000000       | mov                 dword ptr [ebp - 0x14], 0
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]

        $sequence_5 = { c745f000000000 c745fc00000000 8d4510 50 8d4d0c 51 8b5508 }
            // n = 7, score = 400
            //   c745f000000000       | mov                 dword ptr [ebp - 0x10], 0
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   8d4510               | lea                 eax, [ebp + 0x10]
            //   50                   | push                eax
            //   8d4d0c               | lea                 ecx, [ebp + 0xc]
            //   51                   | push                ecx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_6 = { 895118 89411c eb22 8b550c 52 8b45fc 50 }
            // n = 7, score = 400
            //   895118               | mov                 dword ptr [ecx + 0x18], edx
            //   89411c               | mov                 dword ptr [ecx + 0x1c], eax
            //   eb22                 | jmp                 0x24
            //   8b550c               | mov                 edx, dword ptr [ebp + 0xc]
            //   52                   | push                edx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   50                   | push                eax

        $sequence_7 = { 8b4d08 51 8d4da0 e8???????? 8d4da0 e8???????? 8b4508 }
            // n = 7, score = 400
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   51                   | push                ecx
            //   8d4da0               | lea                 ecx, [ebp - 0x60]
            //   e8????????           |                     
            //   8d4da0               | lea                 ecx, [ebp - 0x60]
            //   e8????????           |                     
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_8 = { 8b45e8 83c014 50 8d4dec }
            // n = 4, score = 400
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   83c014               | add                 eax, 0x14
            //   50                   | push                eax
            //   8d4dec               | lea                 ecx, [ebp - 0x14]

        $sequence_9 = { 8b4df8 8b02 ffd0 eb25 33c9 894df0 }
            // n = 6, score = 400
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   ffd0                 | call                eax
            //   eb25                 | jmp                 0x27
            //   33c9                 | xor                 ecx, ecx
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx

    condition:
        7 of them and filesize < 1433600
}
Download all Yara Rules