Decrypting the Mystery of MedusaLocker
By Shayan Ahmed Khan
Published: 2024-04-20 · Archived: 2026-04-06 00:30:07 UTC
9 min read
Nov 13, 2023
In this analysis, I will not cover the stage1 and stage2 of MedusaLocker which includes initial access using a
maldoc and execution using a batch script that further calls a powershell to initiate the attack. I will analyze the
Ransomware executable only which is the stage3 of MedusaLocker.
The MedusaLocker ransomware executable covers most of the MITRE ATT&CK tactics. The MITRE mapping
provided by a sandbox of public report is given below:
Press enter or click to view image in full size
Joe Sandbox Report
This variant of MedusaLocker ransomware has a large number of steps in its execution. It follows a number of
techniques from initial access to impact that we are going to explore one by one below:
Mutex
Let’s start with one of the most common techniques used by ransomware which is creating a unique mutex to
avoid running multiple instances of same malware. This is especially helpful in case of the ransomware that have
https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0
Page 1 of 12

worm like capabilities and can propagate and infect other systems. It is also helpful in case of a persistent malware
that automatically starts execution if a time or an event has been triggered.
Check Mutex
Above code is disassembled from a stripped MedusaLocker ransomware executable. First function is a simple log
subroutine that says “[Locker] Is running”. Second function is the string format function called to format the
unique mutex and then it is passed to the 3rd function which Creates the mutex.
Privilege Escalation
Before any critical operation, MedusaLocker tries to escalate privileges on the local system. It does so by abusing
COM objects to bypass UAC (User Account Control) which is a built-in security measure. There is a known UAC
bypass of CMSTPLUA COM interface.
Press enter or click to view image in full size
https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0
Page 2 of 12

Privilege Escalation by abusing COM objects
This code above is escalating privileges using CMSTPLUA COM object interface. These CLSIDs are referring to
wshell exec object that is used to execute the command provided in the screenshot above. Since this is a stripped
binary therefore the functions don’t make much sense. However, if i rename the functions and parameters then it
would be much easier to understand as in screenshot provided below:
https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0
Page 3 of 12

Reformed Privilege Escalation Code
I have just extracted a TTP from real world malware. The next step is to emulate this procedure by recreating
these malicious behaviors. Here for example, the behavior is mapped as a TTP like:
1. Privilege Escalation as Tactic
2. Abuse Elevation Control Mechanism as Technique
3. Bypass User Account Control as sub-technique
Defacement
One unique characteristic by MedusaLocker ransomware is that it adds a marker registry key that shows that a
particular system has been infected by MedusaLocker. The purpose of this procedure is not known but it looks like
a defacement strategy or just leaving a mark in the system. Harmful or not, it’s an important behavior followed by
a very dangerous ransomware.
Press enter or click to view image in full size
MedusaLocker marker
The path for registry key is “HKEY_CURRENT_USER\SOFTWARE\MDSLK\Self”. The abbreviation of
MDSLK might be MedusaLocker. This tactic is mapped on MITRE as:
1. Impact as tactic
2. Defacement as technique
3. Internal Defacement as sub-technique
Persistence
MedusaLocker uses a different way of achieving persistence. It uses official Microsoft Documented Code for
achieving persistence by scheduling a task with repetition of 15 minutes indefinitely. Typically, malware uses
either at.exe or schtasks.exe which are official Microsoft apps for scheduling tasks, but in this case the malware
scheduled task programmatically in c++ using official code from MSDN page of Microsoft.
https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0
Page 4 of 12

Persistence using task scheduling
The malware creates a copy of itself with the name of “svhost.exe” in %APPDATA% of the system and registers
itself in task scheduler to be executed after every 15 minutes indefinitely. Here comes the use of mutex, when its
executed again, it first checks if another instance is already running in the system. If it does, then malware exits
and let the previous instance continue. The MITRE mapping for this behavior would be:
1. Persistence as tactic
2. Scheduled Task/Job as technique
3. Scheduled Task as sub-technique
Defense Evasion
There are multiple defense evasion techniques used by the malware, one of which is to disable UAC (User
Account Control) altogether. Since malware achieved elevated privileges using CMSTPLUA bypass. Now it can
make critical changes to the system, one of which is to disable the UAC. It does so by changing registry values as
shown in the code below:
https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0
Page 5 of 12

Disable UAC
It sets the value of “EnableLUA” to 0, which means the administrator prompt will not be shown and everything
would be executed with elevated privileges. The author of this malware tried another extra step to disable UAC by
setting the value of “ConsentPromptBehaviorAdmin” to 0 as well. By any chance, if the first didn’t work then
the second technique would make sure that UAC is disabled but it would only work after system restart. Their
MITRE behavioral mapping is as follow:
1. Defense Evasion as tactic
2. Impair Defenses as technique
3. Disable or modify tools as sub-technique
Service Stop
Another highly critical impact this malware has is that it stops and deletes a set of pre-defined services and
processes to avoid any interruption for its encryption process. These sets of services can be found in simple static
analysis of strings from the binary.
Press enter or click to view image in full size
https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0
Page 6 of 12

List of services to stop
Image above shows all the services and processes that it tries to enumerate and kills them off. It uses Windows
Service Control Manager APIs to interact with services to stop and even delete the services. For processes, it uses
famous process enumerator APIs “CreateToolhelp32Snapshot, Process32First and Process32Next”. MITRE
mapping for this behavior is given below:
1. Impact for tactic
2. Service Stop for technique
Inhibit System Recovery
Like most of the ransomware, MedusaLocker also tries to delete ways of recovering data from the victim system.
However, unlike most ransomware, it does so by deleting multiple recovery options instead of just deleting
shadow copies. It uses both vssadmin and wbadmin to delete shadow copies from the system. It also deletes
other recovery options using bcdedit.exe to prevent the system from being rebooted into the recovery mode. As an
additional step, it also empties the recycle bin just to make sure.
https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0
Page 7 of 12

Deleting recovery options
Every single command listed above is executed by CreateProcessW API, which takes the first whitespace as an
indicator for process name and rest as an argument to that process. Highlighted sub-routine named sub_41E9A0
creates these processes as follows:
Press enter or click to view image in full size
Create process for deleting recovery files
The MITRE mapping for this malware behavior can be mapped on the Impact as follows:
1. Impact for tactic
https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0
Page 8 of 12

2. Inhibit System Recovery for technique
Encryption
Like most of the ransomware, MedusaLocker also uses symmetric encryption for fast processing. It uses AES-256
for encrypting all files on the system. However, it uses a combination of both RSA and AES in the malware
process. The encryption key is encrypted with the pre-defined public key embedded into the malware which could
only be decrypted with the attacker’s private key. The malware authors wrote code in such a way that every file is
encrypted with random generated AES key which is in turn encrypted using RSA public key and saved on the
system along with multiple ransom notes.
Press enter or click to view image in full size
Encryption Routine
In the above screenshot, it can be seen that the a base64 encoded public key has been embedded into the malware.
I have extracted the strings from the malware using floss utility. The base64 encoded key is then converted to
binary format using “CryptStringToBinaryA” API for use in cryptographic functions. Finally, the symmetric key
is generated using “CryptGenKey” API which is encrypted with public key and saved in the html ransom note.
After that the encryptor is started which establishes important folders and extensions to skip during encryption as
shown in the extracted strings just below the public key.
Get Shayan Ahmed Khan’s stories in your inbox
Join Medium for free to get updates from this writer.
Remember me for faster sign in
The MITRE mapping for this malware behavior can be mapped on the Impact as follows:
1. Impact for tactic
2. Data Encrypted for Impact as technique
https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0
Page 9 of 12

To recreate this test-case, I can write a c++ code that starts an asynchronous thread for encryptor function that
constantly searches and encrypts the files. Meanwhile, also saving the ransom html note that includes encrypted
symmetric key in it.
Discovery and Lateral Movement
The malware possesses a networking module that enables it to establish connections to remote systems within the
local network and scan for SMB shares. The initial step involves sending an ICMP “Ping” to each system in a
sequential order and verifying if a response is received. After that, the malware will proceed to examine the
system for any open SMB shares, excluding shares with a “$” in their name, which indicates hidden shares. The
malware will then accumulate the remaining shares in a list, which will be encrypted at a later stage.
Press enter or click to view image in full size
Ping systems
The MITRE mapping for this malware behavior can be mapped on the Impact as follows:
1. Lateral Movement for tactic
2. Remote Services as technique
3. SMB Shares as sub-technique
I have covered most of the major attack paths or malicious behaviors from MedusaLocker ransomware. In the next
part of this report, I will discuss how to emulate these behaviors for thorough security testing and reporting.
https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0
Page 10 of 12

Behavior Emulation
We call every phase of attack cycle as a malicious behavior and every behavior is mapped on one MITRE tactic,
technique, or sub-technique. Since, I have extracted all the major behaviors from MedusaLocker Ransomware
therefore, the next step is to recreate these behaviors in safe exploitation manner for complete APT emulation. I
use a combination of techniques to recreate these behaviors, like tracing API calls used by malware or coding the
exact way the malware has achieved a certain behavior or contacting the same malicious urls as used by the
malware. I have also incorporated chatGPT in this behavior recreation phase, I analyze the malware, understand
its practices and APIs used by malware and recreate those behaviors using chatGPT.
For example, I am going to recreate the behavior of Impact tactic with Inhibit System Recovery as the
technique. The behavior used by malware is to execute a number of commands from an array using
CreateProcessW to delete shadow copies and other recovery options from the system. I queried chatGPT with the
commands to be executed and the API by which they must be executed and as a result it recreated the whole
behavior itself.
Press enter or click to view image in full size
Behavior recreation with ChatGPT
As can be seen in the screenshot above, chatGPT recreated fairly similar code to what we saw in the binary during
our reverse engineering of the malware sample. I can recreate most of the behaviors with little tweaking using this
methodology.
Once all the behaviors have been recreated, we then launch all behaviors in a sequential manner and then evaluate
where a security control is weak against a particular APT campaign or attack path. This methodology of dividing
and testing against individual behaviors provides us in-depth analysis of security controls and their weaknesses.
One problem with running exploit as a whole is that we do not know on what basis the security control or system
policies have been able to detect and quarantine the malware. Hence, the mitigation could not be accurate.
Check out my Github Repo of Malware Analysis Series!!!
https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0
Page 11 of 12

Sample hash: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0
Source: https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0
https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0
Page 12 of 12