Introduction
MedusaLocker is a ransomware-as-a-service (“RaaS”) operation that has been active since September 2019. U.S. cybersecurity authorities indicate that MedusaLocker operators have primarily targeted victims in the healthcare sector, among other unspecified sectors. Initial access for MedusaLocker intrusions originally came via phishing and spam email campaigns, but since 2022 has typically occurred via exploit of vulnerable Remote Desktop Protocol devices.[HC3 Analyst Note MedusaLocker Ransomware February 2023] This object represents behaviors associated with operators of MedusaLocker ransomware. As MedusaLocker is licensed on a RaaS model, affiliates likely do not act as a single cohesive unit, and behaviors observed during particular attacks may vary. Behaviors associated with samples of MedusaLocker ransomware are represented in the “MedusaLocker Ransomware” Software object. Malpedia (Research): https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker
Activities and Tactics
Information pending cataloguing.
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Information pending cataloguing.
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- RemoteCMD:
- CyberGate:
- Cyber Eye RAT:
- Remote Utilities:
- RemotePC:
- DesktopNow:
- Xploit:
Attribution and Evidence
Information pending cataloguing.