MalwareAnalysisSeries

This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules

Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham

MedusaLocker Ransomware

MedusaLocker Image

This analysis report provides a detailed examination of the MedusaLocker Ransomware. It shows all the TTPs extracted along with a snippet of their code each mapped on MITRE ATT&CK Framework.

Analysis report is available in PDF
The sample is provided in “sample” directory
The password is infected
Recreated TTPs are provided in “Extracted_TTPs” directory

MedusaLocker Ransomware Analysis PDF Report

MedusaLocker Ransomware TTPs

TTP	Description	Code	Detection
Persistence: Scheduled Task/Job: Scheduled Task	MedusaLocker achieves persistence by abusing task scheduling libraries as provided in MSDN	Code	Rule/Query
Defense Evasion: Impair Defenses: Disable or Modify Tools	MedusaLocker ransomware disables the UAC by modifying registries	Code	Rule/Query
Defense Evasion: Impair Defenses: Disable or Modify Tools	MedusaLocker ransomware also disables the UAC prompt by modifying registries	Code	Rule/Query
Impact: Data Encrypted for Impact	MedusaLocker ransomware uses AES + RSA encryption	Code	Rule/Query
Defense Evasion: Impair Defenses: Disable or Modify Tools	MedusaLocker ransomware terminates specific running processes to avoid interference with encryption	Code	Rule/Query
Impact: Service Stop	MedusaLocker ransomware deletes specific services in victim system to avoid interference with encryption	Code	Rule/Query
Impact: Inhibit System Recovery	MedusaLocker ransomware deletes backups and shadowcopies from the victim system for maximum impact on the victim	Code	Rule/Query
Discovery: Network Share Discovery	MedusaLocker looks for SMB shares in the current network and sets up those to be encrypted at a later stage	Code	Rule/Query
Privilege Escalation: Abuse Elevation Control Mechanism: Bypass User Account Control	MedusaLocker abuses known UAC bypass of CMSTPLUA to escalate privileges. Comming soon !!!	Code Coming soon!	Rule/Query Coming soon!