Source URL: https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/
Source: Cisco Talos Blog
Title: Threat actor believed to be spreading new MedusaLocker variant since 2022
Feedly Summary: Cisco Talos has discovered a financially motivated threat actor, active since 2022, recently observed delivering a MedusaLocker ransomware variant. Intelligence collected by Talos on tools regularly employed by the threat actor allows us to see an estimate of the amount and countries of origin of this group’s
AI Summary and Description: Yes
Summary: The text discusses the activities of a financially motivated threat actor employing the MedusaLocker ransomware variant known as “BabyLockerKZ.” The report details the attack techniques, tools utilized, and insights into the shifting geographical focus of the attacks, providing valuable intelligence for security professionals seeking to understand the dynamics of contemporary ransomware threats.
Detailed Description:
The Cisco Talos report provides a comprehensive overview of a newly identified threat actor responsible for a series of attacks using the “BabyLockerKZ” ransomware variant, which is derived from the MedusaLocker family. Key points from the analysis include:
– **Threat Actor Profile**:
– Active since late 2022, previously targeting organizations predominantly in European countries and subsequently shifting focus toward South American nations.
– The actor is characterized as financially motivated, likely operating as part of a ransomware affiliate group or cybercrime cartel.
– **Ransomware Variant**:
– The “BabyLockerKZ” variant exhibits distinct characteristics, such as specific registry keys and the use of the PDB path containing the term “paid_memes.”
– It has several differences from the original MedusaLocker, which include unique autorun keys and additional public/private key sets.
– **Attack Techniques and Tools**:
– Utilizes a blend of publicly known tools and unique scripts created to streamline attack processes, enhancing the efficiency of credential theft and lateral movement.
– Publicly available tools include Mimikatz, advanced port scanners, and various script wrappers that assist in credential management and exploitation.
– **Operational Insights**:
– The attack infrastructure is methodically organized, with tools stored in user-accessible folders to evade detection.
– Attack patterns show a consistent compromise of over 100 organizations monthly, highlighting their aggressive targeting and operational sophistication.
– **Geographic Shift in Targeting**:
– The initial focus was on European countries; however, a notable shift occurred in mid-2023 towards South American targets, doubling the number of victims observed in monthly telemetry.
– **Mitigation Recommendations**:
– Cisco provides guidance for detection and prevention using their suite of security solutions, emphasizing the necessity for organizations to implement comprehensive security tools to counteract such ransomware threats.
– Specific references include Cisco Secure Endpoint for malware prevention, and Cisco Duo for enforcing multi-factor authentication among users.
– **Indicators of Compromise (IOCs)**:
– The report lists IOCs associated with the BabyLockerKZ ransomware, assisting security teams in identifying and tracking the threat actor’s activity.
Given the evolving landscape of ransomware threats, the insights from Cisco Talos are critical for security and compliance professionals to fortify their defenses against such financially motivated attacks. The detailed analysis of the actor’s tools and tactics can inform security strategies aimed at preventing similar incursions in the future.