Healthcare security decision-makers and defenders should be aware of the MedusaLocker ransomware, warns the Health Sector Cybersecurity Coordination Center (HC3). The ransomware has primarily targeted the healthcare sector since its discovery in September 2019, and continues to pose a threat to the industry.
According to the HC3 report, the MedusaLocker ransomware has infected and encrypted systems across multiple sectors. However, the healthcare sector has been its primary target, with ransomware leveraging the disorder and confusion surrounding the COVID-19 pandemic to launch attacks in 2019.
The HC3 notes that MedusaLocker appears to operate on a Ransomware-as-a-Service (RaaS) model. This means that the developer of the MedusaLocker shares the ransomware with other threat actors in exchange for a share of the ransom payment. The June 2022 advisory released by United States federal law enforcement agencies, including the Federal Bureau of Investigation (FBI), noted that MedusaLocker ransom payments appear to be consistently split between affiliates who receive around 55-60% and the developer who receives the remainder. The report further highlights that the threat actors behind the ransomware have shifted their initial access tactics over time. Initially, threat actors used phishing and spam email campaigns to compromise targets. However, as of 2022, Remote Desktop Protocol (RDP) vulnerabilities have become the preferred tactics to gain access to targeted networks. MedusaLocker threat actors may still gain entry via phishing campaigns in which the malware is attached to emails.
The HC3 warns that the MedusaLocker ransomware has the ability to propagate throughout a network from a batch file that executes a PowerShell script. After gaining initial access, the ransomware will disable security and forensic software, restart the machine in safe mode to prevent detection, and then encrypt files with AES-256 encryption. The ransomware will establish persistence by deleting local backups, disabling start-up recovery, and placing a ransom note into every folder containing a file with compromised host’s encrypted data. The report goes on to explain that the MedusaLocker ransomware utilizes various tactics to compromise targeted networks. The tactics, techniques, and procedures (TTPs) used by the threat actors behind MedusaLocker have been listed by the MITRE ATT&CK framework. The HC3 advises healthcare organizations to require multiple levels of access and authentication controls for all RDP instances, prioritize patching RDP vulnerabilities with known public exploits, make strong passwords and two-factor authentication mandatory when using RDP, and utilize a VPN to enable remote users to securely access the corporate network without exposing their computer to the Internet.
Furthermore, the HC3 recommends implementing a recovery plan that maintains and retains multiple copies of sensitive or proprietary data and servers in physically separate, segmented, and secure locations. Healthcare organizations should also be aware of other mitigation techniques, including implementing an email banner to emails received from outside the organization, disabling hyperlinks in received emails, and restricting access to the Remote Desktop port to an individual or group of trusted IP addresses and allow-list connections to specific trusted hosts.
Healthcare security decision-makers and defenders should take steps to defend against MedusaLocker ransomware attacks by implementing the HC3’s recommended mitigation techniques to prevent ransomware from affecting their networks and data. The HC3 has also advised orgainzations to stay up-to-date with the latest threats and tactics used by ransomware groups and implement cybersecurity best practices to keep their systems and data safe. The healthcare sector is a critical infrastructure that must be protected from cyberattacks that can cause severe disruptions to patient care and endanger lives.