Ransom.Win32.MEDUSALOCKER.THIBHBC

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following processes:

• To delete backup files:
  • vssadmmin.exe Delete Shadows /All /Quiet
  • wbadmin delete backup -keepVersion:0 -quiet
  • wbadmin DELETE SYSTEMSTATEBACKUP
  • wbadmin DELETE SYSTEMSTABACKUP -deleteOldest
  • wmic.exe SHADOWCOPY /nointeractive
• bcdedit.exe /set {default} recoverynabled No
• bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
• rem Kill \"SQL\"
• taskkill -f -m {Target process}
• net stop {Target service}
• taskkill /f /im explorer.exe
• start explorer.exe
• cipher /w\?\{Drive letter}: → removes deleted files permanently
• %System%\cmd.exe /c pause
• {Malware file path} -network

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
BabyLockerKZ = {Malware file path}

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\
System
EnableLinkedConnections = 1

HKEY_CURRENT_USER\Software\PAIDMEMES
PUBLIC = {Ransomware public key}

HKEY_CURRENT_USER\Software\PAIDMEMES
PRIVATE = {Ransomware private key}

Process Termination

This Ransomware terminates the following services if found on the affected system:

• via net stop:
  • MSSQL$ISARS
  • MSSQL$MSFW
  • SQLAgent$ISARS
  • SQLAgent$MSFW
  • SQLBrowser
  • REportServer$ISARS
  • SQLWriter

It terminates the following processes if found running in the affected system's memory:

• via taskkill /f /im:
  • sqlbrowser.exe
  • sql writer.exe
  • sqlserv.exe
  • msmdsrv.exe
  • MsDtsSrvr.exe
  • sqlceip.exe
  • fdlauncher.exe
  • Ssms.exe
  • SQLAGENT.EXE
  • fdhost.exe
  • ReportingServicesService.exe
  • msftesql.exe
  • pg_ctl.exe
  • postgres.exe

Other Details

This Ransomware adds the following registry keys:

HKEY_CURRENT_USER\Software
PAIDMEMES =

It does the following:

• Empties Recycle Bin.
• it encrypts fixed, removable and network drives.
• It shows its logs within the command prompt:
  
  

It accepts the following parameters:

• -network
• -shares={Network shares to encrypt} → Encrypts specified network shares
• -path={Path to encrypt} → Encrypts specified path

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file name:

• How_to_back_files.html

It avoids encrypting files with the following strings in their file path:

• \$Recycle.Bin\
• \Recovery\
• \System Volume Information\
• \Windows\
• \$WinREAgent\
• \$Windows.~WS\
• \$WINDOWS.~BT\

It avoids encrypting files found in the following folders:

• C:\Users\{Username}\AppData\Roaming
• C:\Users\{Username}\AppData\Local
• C:\ProgramData
• C:\perflogs
• C:\Intel
• C:\HP
• C:\AMD
• C:\Dell
• C:\Drivers
• C:\inetpub
• B:\Boot
• A:\Boot
• B:\EFI
• A:\EFI

It appends the following extension to the file name of the encrypted files:

• {original filename}.{original extension}.meduza24

It drops the following file(s) as ransom note:

• {Encrypted Directory}\How_to_back_files.html
  
  

It avoids encrypting files with the following file extensions:

• .exe
• .dll
• .sys
• .ini
• .rdp
• .lnk
• .bmp
• .mov
• .cab
• .meduza24