MalwareAnalysisSeries

This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules


Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham

MedusaLocker Ransomware

MedusaLocker Image

This analysis report provides a detailed examination of the MedusaLocker Ransomware. It shows all the TTPs extracted along with a snippet of their code each mapped on MITRE ATT&CK Framework.

MedusaLocker Ransomware Analysis PDF Report



MedusaLocker Ransomware TTPs

TTP Description Code Detection
Persistence: Scheduled Task/Job: Scheduled Task MedusaLocker achieves persistence by abusing task scheduling libraries as provided in MSDN Code Rule/Query
Defense Evasion: Impair Defenses: Disable or Modify Tools MedusaLocker ransomware disables the UAC by modifying registries Code Rule/Query
Defense Evasion: Impair Defenses: Disable or Modify Tools MedusaLocker ransomware also disables the UAC prompt by modifying registries Code Rule/Query
Impact: Data Encrypted for Impact MedusaLocker ransomware uses AES + RSA encryption Code Rule/Query
Defense Evasion: Impair Defenses: Disable or Modify Tools MedusaLocker ransomware terminates specific running processes to avoid interference with encryption Code Rule/Query
Impact: Service Stop MedusaLocker ransomware deletes specific services in victim system to avoid interference with encryption Code Rule/Query
Impact: Inhibit System Recovery MedusaLocker ransomware deletes backups and shadowcopies from the victim system for maximum impact on the victim Code Rule/Query
Discovery: Network Share Discovery MedusaLocker looks for SMB shares in the current network and sets up those to be encrypted at a later stage Code Rule/Query
Privilege Escalation: Abuse Elevation Control Mechanism: Bypass User Account Control MedusaLocker abuses known UAC bypass of CMSTPLUA to escalate privileges. Comming soon !!! Code Coming soon! Rule/Query Coming soon!