A financially-motivated threat actor has been observed targeting organizations globally with a MedusaLocker ransomware variant, according to an analysis by Cisco Talos.
The variant, known as “BabyLockerKZ,” has been around since at least late 2023, and this is the first time it has been specifically called out as a MedusaLocker variant.
This variant uses the same chat and leak site URLs as the original MedusaLocker ransomware. However, it uses a different autorun key or an extra public and private key set stored in the registry.
Threat Actor Characteristics
The attacker has been active since at least 2022, initially focusing on targets in European countries such as France, Germany, Spain and Italy.
Since the second quarter of 2023, it has shifted its focus towards South American countries such as Brazil, Mexico, Argentina and Colombia, resulting in the volume of victims per month almost doubling.
Attacks kept a steady volume of around 200 unique IPs compromised per month until the first quarter of 2024, when attacks decreased.
The threat actor is believed to either be working as an initial access broker or an affiliate of a ransomware cartel.
Cisco assessed with medium confidence that it is financially motivated.
Tactics, Techniques and Procedures
Cisco Talos said the group uses several publicly known attack tools and living-off-the-land binaries to enable credential theft and lateral movement in compromised organizations.
These tools are mostly wrappers around publicly available tools that include additional functionality to streamline the attack process and provide graphical or command-line interfaces.
Among the publicly known tools used by the attacker are HRSword_v5.0.1.1.rar, used to disable AV and EDR software and Advanced_Port_Scanner_2.5.3869.exe, a network-scanning tool with several additional features to map internal networks and devices.
Additionally, the threat actor utilizes some tools that are not widely distributed that streamline the attack process by automating the interaction between popular attack tools.
One of these tools, called “Checker,” is an app that bundles several other freely available apps and provides a GUI for management of credentials as the attackers proceed with lateral movement.
These tools contain a PDB path including the word “paid_memes,” which is compiled with BabyLockerKZ.
The attackers frequently used the Music, Pictures or Documents user folders of compromised systems to store attack tools.