The Cybersecurity and Infrastructure Security Agency (CISA), FBI, Treasury Department, and the Financial Crimes Enforcement Network (FinCEN) have released a joint cybersecurity advisory warning of MedusaLocker targeting vulnerabilities in Remote Desktop Protocol (RDP) to conduct ransomware attacks.
The agencies said MedusaLocker was observed as recently as May, appearing to operate as a Ransomware-as-a-Service (RaaS) model. MedusaLocker splits payments between the affiliates – who typically get 55 percent to 60 percent of ransom payments – and the developer.
According to research from CyberReason, MedusaLocker ransomware first emerged in September 2019 – attacking multiple industries, especially the healthcare sector.
“The MedusaLocker actors encrypt the victim’s data and leave a ransom note with communication instructions in every folder containing an encrypted file,” CISA said. “The note directs victims to provide ransomware payments to a specific Bitcoin wallet address.”
The FBI, CISA, and FinCEN provided a long list of mitigations, including remediating known vulnerabilities, enabling multi-factor authentication (MFA), and training users to recognize phishing attempts.
To report suspicious or criminal activity related to MedusaLocker, the agencies advise users to contact their local FBI field office. CISA urged people to contact the agency at firstname.lastname@example.org to report incidents and anomalous activity or to request incident response resources or technical assistance related to this threat.