MedusaLocker Ransomware Attacks Salem Community Schools

The MedusaLocker ransomware gang has attacked Salem Community Schools. Salem Community Schools is a school corporation located in Salem, Indiana, United States. It serves the educational needs of the Salem community and surrounding areas. Medusa Locker published Salem Community Schools' information to its data leak site on June 15, demanding a $100,000 ransom.

The MedusaLocker actors heavily exploit vulnerabilities in Remote Desktop Protocol (RDP) to gain access to victims' networks. They actively encrypt the victim's data and leave a ransom note in each folder containing encrypted files, providing instructions for communication. The note directs victims to make ransom payments to a specific Bitcoin wallet address.

Operational Tactics of MedusaLocker

Observations suggest that MedusaLocker operates on a Ransomware-as-a-Service (RaaS) model. This model involves a division of ransom payments between the affiliate and the developer. The affiliate, responsible for deploying the ransomware on victim systems, typically receives 55 to 60 percent of the ransom, while the developer receives the remaining portion.

MedusaLocker ransomware actors primarily exploit vulnerable Remote Desktop Protocol (RDP) configurations to gain access to victims' devices. They also frequently employ email phishing and spam campaigns, attaching the ransomware directly to the emails as initial intrusion vectors.

MedusaLocker ransomware utilizes a batch file to execute the PowerShell script invoke-ReflectivePEInjection. This script spreads MedusaLocker across the network by modifying the EnableLinkedConnections value in the infected machine's registry. This allows the infected machine to detect attached hosts and networks through Internet Control Message Protocol (ICMP) and identify shared storage using Server Message Block (SMB) Protocol.

Subsequently, MedusaLocker:

• Restarts the LanmanWorkstation service to apply registry edits.
• Terminates processes associated with well-known security, accounting, and forensic software.
• Reboots the machine in safe mode to avoid detection by security software.
• Encrypts victim files using the AES-256 encryption algorithm, encrypting the resulting key with an RSA-2048 public key.
• Runs every 60 seconds, encrypting all files except critical ones and those with specific encrypted file extensions.
• Establishes persistence by copying an executable (svhost.exe or svhostt.exe) to the %APPDATA%\Roaming directory and scheduling a task to run the ransomware every 15 minutes.
• Attempts to hinder standard recovery techniques by deleting local backups, disabling startup recovery options, and deleting shadow copies.

MedusaLocker actors place a ransom note in each folder containing files with the victim's encrypted data. The note provides instructions on how to communicate with the actors, typically including one or more email addresses. The ransom demands of MedusaLocker vary, taking into account the perceived financial status of the victim as determined by the actors.