MedusaLocker is extremely active malware at the time of writing, including in France. It first appeared in September 2019 and is making a comeback this year. This type of threat is part of the RAAS (Ransomware-As-A-Service) family, it allows the attacker to outsource the tedious and risky development and ransom recovery tasks associated with any malware campaign. There are many variants associated with this threat.
It is in this context that a currently active variant was detected by one of the EDR s (Endpoint Detection Response) and automatically sent to the CTI (Cyber Threat Intelligence) for analysis. The reversers were then able to add configuration extraction capabilities for this variant.
What is TEHTRIS doing about this pressing threat?
- Identification: Once detected, this malware is listed in the sandbox allowing analysts to immediately identify the source of the threat.
- Deobfuscation of the malware configuration: The malware in question uses obfuscation (T1001) to render its configuration unreadable, the dynamic analysis tools in the TEHTRIS sandbox can decrypt and display the malware’s complete configuration to the analyst. He can then recover the commands executed, the files to be encrypted, the ransom message, the ignored paths, the cryptographic key and the performance features associated with the campaign corresponding to the malware analysed. The example below compares the obfuscated configuration with that automatically extracted for the analyst.
Configuring MedusaLocker :
Extract from the malware configuration displayed by the CTI tool :
IOCs (Indicators of Compromise):
- 51b8a283f87a95edb5e98125e5730bcf843fc7ec8fcdc175c8dc0ba3032e8a51
- c1d4014e65a8d79e555378dbf8e5db5786e3b6e4c841f7f64a3f40318bb59e60
- d9de562ac1815bf0baad1c617c6c7f47d71f46810c348f7372a88b296d68cfae
- 951facf3f3ef6f6163aa87383953132563d8ef1508b60cb130b1b7d5b96552aa
- f584c124d92b09ba12d2538d52300dc38ef255c6ad23c30e7569ff1920388c50
- b896605b97ae9e2781b21dc5cfb64eec0fc4effa76a7ef33e9cef0b258dff35f
TEHTRIS CTI (Cyber Threat Intelligence) is an extensive threat knowledge base. This database has been in existence since 2014 and has undergone multiple technical evolutions to keep up with or stay ahead of new offensive developments.
TEHTRIS CTI, integrated by default into the TEHTRIS XDR Platform.
TEHTRIS CTI has a special feature: it is fully natively integrated with the TEHTRIS XDR Platform, so all our tools (EDR, EPP, SIEM, etc.) are immediately and systematically linked to it.
As a result, TEHTRIS CTI is capable not only of enhancing your cyber defence arsenal and providing analysis, hunting and forensic investigation capabilities, but also of feeding off information shared between TEHTRIS customer environments and various external knowledge bases.
TEHTRIS CTI gives you a broad view of threats that is continually updated, so that you can build up a robust and relevant cyber security policy.