MedusaLocker ransomware variant paired with ‘paid_memes’ toolkit – Cyber Tech

A MedusaLocker ransomware variant known as “BabyLockerKZ” is being unfold by a menace actor utilizing a customized toolkit generally known as “paid_memes,” in accordance with analysis printed by Cisco Talos on Thursday.

MedusaLocker ransomware first appeared round September 2019 and makes use of a mix of AES and RSA-2048 to encrypt victims’ information. Risk actors utilizing MedusaLocker have been identified to take advantage of weak configurations of Microsoft Distant Desktop Protocol for preliminary community entry and primarily focused healthcare as of early 2023.

The BabyLockerKZ variant was first seen in late 2023 and makes use of the file extension “.hazard” for encrypted information. The identify BabyLockerKZ comes from the identify of the variant’s autorun key, which is exclusive to this MedusaLocker variant.

The Cisco Talos researchers consider BabyLockerKZ to be the product of an unnamed, financially motivated menace actor that has been energetic since a minimum of late 2022 and is understood for its use of a toolset which have a program database (PDB) path containing the string “paid_memes.”

The “paid_memes” toolkit principally contains wrappers round widespread, publicly accessible instruments such because the credential-dumping Mimikatz device, the anti-virus (AV) and endpoint detection and response (EDR) disabling HRSword_v5.0.1.1.rar, the network-scanning device Advanced_Port_Scanner_2.5.3869 and course of monitoring device Processhacker.

Nonetheless, the menace actor additionally makes use of extra novel instruments that assist to streamline and automate interactions between different instruments in addition to present a graphical person interface (GUI) for the malware. For instance, the device generally known as “Checker” bundles Distant Desktop Plus, PSEXEC, Mimikatz and scripts based mostly on the open-source Invoke-TheHash device.

Checker can be utilized to scan IPs for legitimate credentials, import information from hosts and instruments, decrypt hashes and retailer found credentials in a database utilizing a easy GUI for comfort, in accordance with Cisco Talos. The attacker typical shops the paid_memes instruments, together with Checker, within the Music, Footage or Paperwork person folders on the sufferer’s machine.

The BabyLockerKZ variant is extremely just like different model of MedusaLocker and makes use of the identical chat and leak websites, the researchers discovered however differs in its use of the BabyLockerKZ run key, PAIDMEMES private and non-private keys, lack of the “MDSLK” registry key and lack of the {8761ABBD-7F85-42EE-B272-A76179687C63} mutex present in different variants.

The menace actor itself appears to focus on organizations opportunistically, typically compromising greater than 100 victims per thirty days across the globe, in accordance with Cisco Talos telemetry. The researchers say the menace actor’s exercise is just like what one would see from a financially-motivated attacker akin to an preliminary entry dealer or ransomware affiliate.

A full checklist of techniques, methods & procedures (TTPs) and indicators of compromise (IoC) for BabyLockerKZ and paid_memes is supplied within the Cisco Talos weblog publish.