You're listening to the CyberWire Network, powered by N2K.

This is a CISA cybersecurity alert.

ID number Alpha Alpha 2-TAC 181 Alpha.

Original release date, June 30, 2022.

CISA, the FBI, the Department of the Treasury and the Financial Crimes Enforcement

Network are releasing this alert to provide information on Medusa Locker ransomware.

Observed as recently as May 2022, Medusa Locker actors predominantly rely on vulnerabilities in remote desktop protocol to access victims networks.

The Medusa Locker actors encrypt the victim's data and leave a ransom note with communication instructions in every folder containing an encrypted file. The note directs victims to provide

ransomware payments to a specific Bitcoin wallet address. Medusa locker appears to operate as a

ransomware as a service model based on the observed split of

ransom payments. Typical ransomware as a service models involve the

ransomware developer and various affiliates that deploy the ransomware on

victim systems. Medusa lockerware actors most often gain access to

victim devices through vulnerable remote desktop protocol configurations.

Actors also frequently use email fishing and spam email campaigns

directly attaching the

ransomware to the email as initial intrusion vectors. Medusa locker

ransomware uses a batch file to execute a malicious power shell script.

This script propagates Medusa Locker throughout the network by

editing the enable linked connections value within the infected machine's registry, which

then allows the infected machine to detect attached hosts and networks via

Internet Control Message Protocol and to detect attached hosts and networks via Internet Control Message Protocol

...