A Deep Dive into Medusa Ransomware A Deep Dive into Medusa Ransomware Prepared by: Vlad Pasca, Senior Malware & Threat Analyst SecurityScorecard.com info@securityscorecard.com Tower 49 12 E 49th Street Suite 15-001 New York, NY 10017 1.800.682.1707 Table of contents Table of contents 1 Executive summary 2 Analysis and findings 2 Indicators of Compromise 18 Appendix 19 securityscorecard.com | 1 Executive summary Medusa ransomware appeared in June 2021, and it became more active this year by launching the “Medusa Blog” containing data leaked from victims that didn’t pay the ransom. The malware stops a list of services and processes decrypted at runtime and deletes the Volume Shadow Copies. The files are encrypted using the AES256 algorithm, with the key being encrypted using an RSA public key. The ransomware deletes itself after the file encryption is complete. The extension of the encrypted files is changed to “.MEDUSA”. Analysis and findings We will analyze a ransomware sample that our Professional Services team found in a Medusa Ransomware engagement. We can’t share the malware hash to protect the client's confidentiality. The ransomware can run with one of the following parameters: "-d", "-f", "-i", "-k", "-n", "-p", "-s", "-t", "-v", "-w", and "-V". If the “-v” parameter is not specified, the process calls the ShowWindow function to hide the current window (0x0 = SW_HIDE): Figure 1 When running with the “-v” parameter, the malware displays multiple strings in the command line window using WriteFile, as shown in Figure 2. securityscorecard.com | 2 https://www.bleepingcomputer.com/news/security/medusa-ransomware-gang-picks-up-steam-as-it-targets-companies-worldwide/ Figure 2 The malicious process creates multiple anonymous pipes via a function call to CreatePipe: Figure 3 The SetHandleInformation routine is used to make the pipes inheritable by child processes (0x1 = HANDLE_FLAG_INHERIT): Figure 4 The malware creates a PowerShell process using the CreateProcessA API (0x08000000 = CREATE_NO_WINDOW): securityscorecard.com | 3 Figure 5 The malicious process reads data from the pipe containing the above process output using ReadFile: Figure 6 The sample retrieves the firmware table from the raw SMBIOS firmware table provider using the GetSystemFirmwareTable routine (see Figure 7). Figure 7 CryptStringToBinaryA is used to decode the RSA public key from Base64 (0x7 = CRYPT_STRING_ANY): securityscorecard.com | 4 Figure 8 Medusa ransomware decodes a structure of the RSA_CSP_PUBLICKEYBLOB type by calling the CryptDecodeObjectEx function (0x10001 = X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, 0x13 = RSA_CSP_PUBLICKEYBLOB): Figure 9 The process imports the RSA public key from a key BLOB using BCryptImportKeyPair: securityscorecard.com | 5 Figure 10 A list of file extensions that will be skipped is decrypted using the XOR operation with 0x2E: ".dll", ".exe", ".lnk", and ".MEDUSA". The ransomware also decrypts a list of services and processes that will be stopped: Figure 11 Figure 12 securityscorecard.com | 6 The entire list of processes and services to terminate can be found in the Appendix. The malware obtains the number of milliseconds that have elapsed since the system was started: Figure 13 The ransomware stops the target services using the “net stop” command and the target processes using the “taskkill” command: Figure 14 Figure 15 securityscorecard.com | 7 The process deletes the Volume Shadow Copies using the vssadmin command, as highlighted below: Figure 16 GetLogicalDriveStringsW is utilized to extract the valid drives in the system (Figure 17): Figure 17 The executable retrieves the drive type via a function call to GetDriveTypeW: Figure 18 It extracts the amount of space that is available on the disk volume using the GetDiskFreeSpaceExW routine, as shown below: Figure 19 securityscorecard.com | 8 The sample spawns two processes in order to resize the maximum amount of storage space used for shadow copy storage: Figure 20 Figure 21 The ransomware enumerates the files on the drives using the FindFirstFileExW and FindNextFileW APIs: securityscorecard.com | 9 Figure 22 The following files and directories will be skipped from encryption: Figure 23 The GetFileExInfoStandard API is utilized to obtain attributes for a file or directory (0x0 = GetFileExInfoStandard): Figure 24 The ransom note called “!!!READ_ME_MEDUSA!!!.txt” is created in every traversed directory. It contains the victim’s name and a 32-byte hash that should be used during the communication with the threat actor: securityscorecard.com | 10 Figure 25 Figure 26 The sample opens a target file by calling the CreateFileW API (0xC0000000 = GENERIC_READ | GENERIC_WRITE, 0x3 = FILE_SHARE_READ | FILE_SHARE_WRITE, 0x3 = OPEN_EXISTING, 0x80 = FILE_ATTRIBUTE_NORMAL): Figure 27 securityscorecard.com | 11 GetFileType is utilized to retrieve the file type, as highlighted below: Figure 28 The malicious process moves the file pointer of the target file via a function call to SetFilePointerEx (see Figure 29). Figure 29 Each file is read by calling the ReadFile function: Figure 30 The BCryptGetProperty API is used to obtain the values of the “ObjectLength” and “BlockLength” properties for the CNG object: Figure 31 securityscorecard.com | 12 Figure 32 The following 16 bytes represent the IV (initialization vector) that is the same for all files to be encrypted: Figure 33 The AES chaining mode is set to cipher block chaining using the BCryptSetProperty routine: Figure 34 The malware creates a key object based on 32 bytes that were generated, which represent the AES256 key that is changing between iterations: Figure 35 securityscorecard.com | 13 Figure 36 Firstly, the AES key is encrypted using the RSA public key via a call to BCryptEncrypt: Figure 37 Figure 38 The file content is encrypted using the AES256 algorithm, as highlighted in Figure 39. securityscorecard.com | 14 Figure 39 The encrypted data is written back to the file by calling the WriteFile function: Figure 40 The ransomware appends the “.MEDUSA” extension to all encrypted files (see Figure 41). Figure 41 An encrypted file has the following structure: Encrypted file content + “MEDUSA” string + file length + Encrypted AES key with RSA + “Company identification hash” (Figure 42). securityscorecard.com | 15 Figure 42 Finally, if the “-d” parameter is not specified, the malware deletes itself: Figure 43 Medusa ransomware excludes the System folder from encryption by running with the “-f” parameter: securityscorecard.com | 16 Figure 44 The malware can encrypt a specific folder using the “-i” parameter and load the RSA public key from a file mentioned in the “-k” parameter. The ransom note can be changed with a file mentioned in the “-t” parameter. The C drive is not encrypted if it runs with the “-s” parameter, and the sample doesn’t stop the target processes/services and doesn’t delete the Volume Shadow Copies if the “-p” parameter is specified: Figure 45 The ransomware can execute a PowerShell script using the “-w” parameter, as highlighted in the figure below. securityscorecard.com | 17 Figure 46 The last parameter, “-V,” displays the Medusa ransomware version: Figure 47 Indicators of Compromise Medusa Ransom Note !!!READ_ME_MEDUSA!!!.txt Processes spawned powershell -Command "& {}" net stop /y taskkill /F /IM /T vssadmin Delete Shadows /all /quiet vssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB vssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded cmd /c ping localhost -n 3 > nul & del securityscorecard.com | 18 Appendix List of services "Acronis VSS Provider" "Enterprise Client Service" "Sophos Agent" "Sophos AutoUpdate Service" "Sophos Clean Service" "Sophos Device Control Service" "Sophos File Scanner Service" "Sophos Health Service" "Sophos MCS Agent" "Sophos MCS Client" "Sophos Message Router" "Sophos Safestore Service" "Sophos System Protection Service" "Sophos Web Control Service" "SQLsafe Backup Service" "SQLsafe Filter Service" "Symantec System Recovery" "Veeam Backup Catalog Data Service" "AcronisAgent" "AcrSch2Svc" "Antivirus" "ARSM" "BackupExecAgentAccelerator" "BackupExecAgentBrowser" "BackupExecDeviceMediaService" "BackupExecJobEngine" "BackupExecManagementService" "BackupExecRPCService" "BackupExecVSSProvider" "bedbg" "DCAgent" "EPSecurityService" "EPUpdateService" "EraserSvc11710" "EsgShKernel" "FA_Scheduler" "IISAdmin" "IMAP4Svc" "macmnsvc" "masvc" "MBAMService" "MBEndpointAgent" "McAfeeEngineService" "McAfeeFramework" "McAfeeFrameworkMcAfeeFramework" "McShield" "McTaskManager" "mfemms" "mfevtp" "MMS" "mozyprobackup" "MsDtsServer" "MsDtsServer100" "MsDtsServer110" "MSExchangeES" "MSExchangeIS" "MSExchangeMGMT" "MSExchangeMTA" "MSExchangeSA" "MSExchangeSRS" "MSOLAP$SQL_2008" "MSOLAP$SYSTEM_BGC" "MSOLAP$TPS" "MSOLAP$TPSAMA" "MSSQL$BKUPEXEC" "MSSQL$ECWDB2" "MSSQL$PRACTICEMGT" "MSSQL$PRACTTICEBGC" "MSSQL$PROFXENGAGEMENT" "MSSQL$SBSMONITORING" "MSSQL$SHAREPOINT" "MSSQL$SQL_2008" "MSSQL$SYSTEM_BGC" "MSSQL$TPS" "MSSQL$TPSAMA" "MSSQL$VEEAMSQL2008R2" "MSSQL$VEEAMSQL2012" "MSSQLFDLauncher" "MSSQLFDLauncher$PROFXENGAGEMENT" "MSSQLFDLauncher$SBSMONITORING" "MSSQLFDLauncher$SHAREPOINT" "MSSQLFDLauncher$SQL_2008" "MSSQLFDLauncher$SYSTEM_BGC" "MSSQLFDLauncher$TPS" "MSSQLFDLauncher$TPSAMA" "MSSQLSERVER" "MSSQLServerADHelper100" "MSSQLServerOLAPService" "MySQL80" "MySQL57" "ntrtscan" "OracleClientCache80" "PDVFSService" "POP3Svc" "ReportServer" "ReportServer$SQL_2008" "ReportServer$SYSTEM_BGC" "ReportServer$TPS" "ReportServer$TPSAMA" "RESvc" "sacsvr" "SamSs" "SAVAdminService" "SAVService" "SDRSVC" "SepMasterService" "ShMonitor" "Smcinst" "SmcService" "SMTPSvc" "SNAC" "SntpService" "sophossps" "SQLAgent$BKUPEXEC" "SQLAgent$ECWDB2" "SQLAgent$PRACTTICEBGC" "SQLAgent$PRACTTICEMGT" "SQLAgent$PROFXENGAGEMENT" "SQLAgent$SBSMONITORING" "SQLAgent$SHAREPOINT" "SQLAgent$SQL_2008" "SQLAgent$SYSTEM_BGC" "SQLAgent$TPS" "SQLAgent$TPSAMA" "SQLAgent$VEEAMSQL2008R2" "SQLAgent$VEEAMSQL2012" "SQLBrowser" "SQLSafeOLRService" "SQLSERVERAGENT" "SQLTELEMETRY" "SQLTELEMETRY$ECWDB2" "SQLWriter" "SstpSvc" "svcGenericHost" "swi_filter" "swi_service" "swi_update_64" "TmCCSF" "tmlisten" "TrueKey" "TrueKeyScheduler" "TrueKeyServiceHelper" "UI0Detect" "VeeamBackupSvc" "VeeamBrokerSvc" "VeeamCatalogSvc" "VeeamCloudSvc" "VeeamDeploymentService" "VeeamDeploySvc" "VeeamEnterpriseManagerSvc" "VeeamMountSvc" "VeeamNFSSvc" "VeeamRESTSvc" "VeeamTransportSvc" "W3Svc" "wbengine" "WRSVC" "MSSQL$VEEAMSQL2008R2" "SQLAgent$VEEAMSQL2008R2" "VeeamHvIntegrationSvc" "swi_update" "SQLAgent$CXDB" "SQLAgent$CITRIX_METAFRAME" "SQL Backups" "MSSQL$PROD" "Zoolz 2 Service" "MSSQLServerADHelper" "SQLAgent$PROD" "msftesql$PROD" "NetMsmqActivator" "EhttpSrv" "ekrn" "ESHASRV" "MSSQL$SOPHOS" "SQLAgent$SOPHOS" "AVP" "klnagent" "MSSQL$SQLEXPRESS" "SQLAgent$SQLEXPRESS" "wbengine" "kavfsslp" "KAVFSGT" "KAVFS" "mfefire" List of processes "zoolz.exe" "agntsvc.exe" "dbeng50.exe" "dbsnmp.exe" "encsvc.exe" "excel.exe" "firefoxconfig.exe" "infopath.exe" "isqlplussvc.exe" "msaccess.exe" "msftesql.exe" "mspub.exe" "mydesktopqos.exe" "mydesktopservice.exe" "mysqld.exe" "mysqld-nt.exe" "mysqld-opt.exe" "ocautoupds.exe" "ocomm.exe" "ocssd.exe" "onenote.exe" "oracle.exe" "outlook.exe" "powerpnt.exe" "sqbcoreservice.exe" "sqlagent.exe" "sqlbrowser.exe" "sqlservr.exe" "sqlwriter.exe" "steam.exe" "synctime.exe" "tbirdconfig.exe" "thebat.exe" "thebat64.exe" "thunderbird.exe" "visio.exe" "winword.exe" "wordpad.exe" "xfssvccon.exe" "tmlisten.exe" "PccNTMon.exe" "CNTAoSMgr.exe" "Ntrtscan.exe" "mbamtray.exe" securityscorecard.com | 19