MalwareAnalysisSeries

This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules

Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham

MedusaLocker: Inhibit System Recovery

MedusaLocker Image

Ransomware often deletes shadow copies and backups to maximize the pressure on victims to pay the ransom. By removing these recovery options, attackers ensure that victims cannot restore their systems and files independently, thus making the encryption irreversible without the decryption key. This tactic increases the urgency and desperation of victims, compelling them to comply with the ransom demands to regain access to their critical data. This strategy effectively leverages the absence of recoverable backups to enhance the likelihood of payment, thereby making ransomware attacks more successful and profitable for cybercriminals.

MedusaLocker also executes a series of shadow copies and backup deletion commands to ensure the maximum impact on the infected systems.

Detection Indicators

The detection indicators in this TTP of MedusaLocker Ransomware are:

Log Sources

I have configured multiple log sources in my detection lab. I am using Azure Sentinel as my SIEM solution. The following logs are injested into SIEM:

Detection Engineering with Defender XDR

The following query will detect any of the backup deletion commands or processes mentioned in the detection indicators above.

DeviceProcessEvents
| where ProcessCommandLine has_any( "Delete Shadows /All /Quiet", "/set {default} recoveryenabled No", "/set {default} bootstatuspolicy ignoreallfailures", "DELETE SYSTEMSTATEBACKUP -deleteOldest")
| project TimeGenerated, DeviceName, ActionType, FileName, InitiatingProcessFileName, ProcessCommandLine, InitiatingProcessParentFileName

Detection Engineering with Security Audit Logs

SecurityEvent
| where CommandLine has_any ( "Delete Shadows /All /Quiet", "/set {default} recoveryenabled No", "/set {default} bootstatuspolicy ignoreallfailures", "DELETE SYSTEMSTATEBACKUP -deleteOldest")
| project TimeGenerated, Computer, Activity, NewProcessName, ParentProcessName, CommandLine

Detection Engineering with Sysmon

WindowsEvent //(Sysmon)
| where EventData.CommandLine has_any ( "Delete Shadows /All /Quiet", "/set {default} recoveryenabled No", "/set {default} bootstatuspolicy ignoreallfailures", "DELETE SYSTEMSTATEBACKUP -deleteOldest")
| project TimeGenerated, Computer, ProcessName = EventData.Image, ParentProcess = EventData.ParentImage, CommandLine = EventData.CommandLine

Detection Engineering with SIGMA Rule

The following SIGMA rule detects the removal of backup and recovery options by detecting the abuse of windows system utilities as done by most ransomware.

title: Shadow Copies Deletion Using Operating Systems Utilities
id: ad2f2135-dc53-4716-85aa-c53fbccfafab
status: stable
description: Shadow Copies deletion using operating systems utilities. Ransomware activity to remove system backups
references:
    - https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0#:~:text=Stop%20for%20technique-,Inhibit%20System%20Recovery,-Like%20most%20of
author: Shayan Ahmed Khan (shaddy43)
date: 2024/08/08
modified: 2024/08/08
tags:
    - attack.impact
    - attack.t1490
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - 'wbadmin.exe'
              - 'bcdedit.exe'
              - 'vssadmin.exe'
    selection_cli:
        - CommandLine|contains:
            - 'Delete Shadows /All /Quiet'
            - '/set {default} recoveryenabled No'
            - '/set {default} bootstatuspolicy ignoreallfailures'
            - 'DELETE SYSTEMSTATEBACKUP -deleteOldest'
    condition: all of selection_*
falsepositives:
    - None
level: high