MedusaLocker ransomware leveraged in health care cyberattacks

MedusaLocker ransomware is the latest variant used to encrypt health care systems, the Health Sector Cybersecurity Coordination Center (HC3) warned in its latest analyst note. 

The note follows a July 2022 alert co-authored by the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the Department of the Treasury and FinCEN about MedusaLocker’s tactics. 

MedusaLocker was first observed in September 2019 and has since made healthcare its primary target. Specifically, the group took advantage of confusion surrounding the COVID-19 pandemic to infiltrate systems. The group operates under a Ransomware-as-a-Service (RaaS) model. 

“As of 2022, Remote Desktop Protocol (RDP) vulnerabilities are the preferred Tactics, Techniques, and Procedures (TTP) to gain access to targeted networks by cyber criminals behind the ransomware,” HC3 said. “Moreover, MedusaLocker threat actors may still gain entry into networks via phishing campaigns in which the malware is attached to emails.” 

HC3’s alert contained detailed TTPs to watch out for, highlighting the fact that MedusaLocker typically propagates throughout a network via a batch file that executes a PowerShell script. 

“MedusaLocker will next disable security and forensic software, restart the machine in safe mode to prevent detection or ransomware, and then encrypt files with AES-256 encryption algorithm,” analysts wrote. 

“MedusaLocker will further establish persistence by deleting local backups, disabling start-up recovery to ultimately place a ransom note into every folder containing a file with compromised host’s encrypted data.” 

To defend against MedusaLocker, health care organizations should continue to employ cyber hygiene best practices. Since MedusaLocker is actively targeting unsecured RDP servers, HC3 urged defenders to require all RDP instances to have multiple levels of access controls. 

Organizations should prioritize patching RDP vulnerabilities, creating strong passwords and enforcing multi-factor authentication (MFA) and monitoring RDP utilization. 

In addition, organizations should consider using a VPN, disabling hyperlinks in received emails and maintaining a strong incident response plan.