The evolving cosmos of cyber threats have yet again brewed a new ransomware threat, which has been found by researchers. This new ransomware is dubbed as Medusa locker and it’s being actively distributed across the world through methods that are not known to the cybersecurity universe.
Given the curiosity and mystery surrounding the newly found threat, we decided to share as much information as we could research on the same.
The research group called MalwareHunterTeam is to be credited with the discovery of this new threat, they noticed the first instance of the threat called Medusalocker. Like we mentioned, it is currently not known on how the ransomware is being distributed but there has been a steady amount of submissions to the ID Ransomware site.
Infection details
Before encrypting the data on the infected system, the ransomware performs several activities –
- As a first step, the anomaly creates a registry value “EnableLinkedConnection” under a certain path and sets it to1 to access the mapped drives in the processes that are launched by the UAC.
- Then, as it’s noticed it restarts the LanmanWorkstation service, ensuring the windows network is running, in the process verifying that the mapped drives are accessible to the ransomware.
- In order to shut down security programs, this includes various processes like Defwatch, wrapper, tomcat6 among others. This step enables all the files are accessible and available for encryption.
- Like most ransomware does, as a final step it clears Shadow Volume Copies of files. This final step ensures that the files cannot be restored.
- Now, it scans all the files on the system, ignoring files with certain extensions like .exe or .rdp
certain folders are omitted in the scan, ignoring the files within them as well. - All the other files are encrypted using AES encryption.
The choice of extension depends upon the ransomware variant, files from the system will be encrypted with one of the following extensions – .encrypted, .boroff, .skynet, .nlocker, .bomber, .locker16, .newlock, .breakingbad.
In each folder that houses encrypted files, a ransom note is being created named, “HOW_TO_RECOVER_DATA.html”
The file contains two emails, in order to get in touch for instructions on the payment methods.
In order to keep your system safe, our experts suggest taking the following measures which are usually suggested to prevent ransomware whose method of delivery is known –
Measures
- Update your antivirus software on a regular basis, which will protect your system from all kinds of Malware attacks.
- Always download apps and software’s from a trusted source instead of unknown sources because many untrusted sources offer the same or similar softwares.
- In addition, check the user ratings and reviews of the software before a decision to download it is made.
- Ensure that all the softwares installed in the system are updated frequently, including Oracle Java and Adobe.
- Implement a three-dimensional security policy in your organization, i.e. firstly understand your requirement based on which IT Security policy would be prepared accordingly. Secondly, educate your staff about the policy and finally enforce the policy.
- Make sure you either implement MailScan at gateway level or enable Mail Anti-virus on the endpoint in order to block extensions such as *.EXE, *.SCR, *.JS, *.VBE etc. These attachments would infect your system.
- Single system users can use eScan Total Security Suite, while businesses can use Total Security Suite for Business. All eScan products are powered with the revolutionary PBAE technology which monitors every activity on the system and blocks any suspicious activity that raises a red flag.
- Open emails only if you are positive about the source.
- Regularly create a backup of your important files.
To read more, please check eScan Blog