DefendAgainst | MedusaLocker

This is a new series that I've started, where we not just analyse the malware but highlight the steps that can be taken to defend against these threats. You'll still need to do some digging to find out how to implement these in your org but these should give you enough to get started. 
Skill level: Intermediate-Advanced

If you want to support me, follow me on Patreon: https://www.patreon.com/malienist

QuickDefend

The long-story-short version

Use the following info to break execution of this malware:

This malware uses the RestartManager to shutdown/stop running processes and then encrypt them (to bypass the ‘file is in use’ problem).
Use this reg key to disable that functionality.

DisableAutomaticApplicationShutdown:

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer
SOFTWARE\MDSLK\Self

The BCDEdit /set command sets a boot entry option value in the Windows boot configuration data store (BCD).

This could be used to disable DEP — but this malware does not do that (not trying to exploit)

It does use this option to:

  1. Disable Recovery
  2. Ignore All Failures (The computer will attempt to boot normally after an error occurs).

Put a flag on these commands and stop execution:

bcdedit.exe /set {default} recoveryenabled No
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

This process can be used to interact with the shadow copy backups and all installed shadow copy writers and providers.

Put a flag on these commands and stop execution:

vssadmin.exe delete shadows /all /quiet {Deletes ALL volume shadow copies}.

You can use one of your shiny security tool to prevent execution of this command or you can use something like this:

Create a group policy that disallows users to execute vssadmin. Or use registry to achieve the same result. We’ll look at the first option quickly. You can use this option for all the processes created by the malware.

Put a flag on these commands and stop execution:

wbadmin DELETE SYSTEMSTATEBACKUP

Deletes the system state backups that you specify. If the specified volume contains backups other than system state backups of your local server, those backups will not be deleted.

wbadmin DELETE SYSTEMSTATEBACKUP -deleteoldest

Details

Now that we have covered the defence key points, let’s take a deeper look at this ransomware.

MedusaLocker uses the Restart Manager to encrypt files that are in-use by other applications while the encryption is taking place. This allows the malware to stop the applications that are using the files to be encrypted, encrypt them and then simply end the session (legit installers, for example, would re-start the apps after the files have been updated).

Here’s the basic execution flow for this malware:

> Start session

> WriteFile

> CreateMutex

> Register Resources

> Start Encryption

Encryption Routine:

Let’s take a very quick look at the encryption process, its the same with all ransomware — they basically rely on the MS encryption APIs.

The CryptAcquireContext function is used to acquire a handle to a particular key container within a particular cryptographic service provider (CSP). This returned handle is used in calls to CryptoAPI functions that use the selected CSP.

BOOL CryptAcquireContextW(
HCRYPTPROV *phProv,
LPCWSTR szContainer,
LPCWSTR szProvider,
DWORD dwProvType,
DWORD dwFlags
);

The CryptImportKey function transfers a cryptographic key from a key BLOB into a cryptographic service provider (CSP). This function can be used to import an Schannel session key, regular session key, public key, or public/private key pair. For all but the public key, the key or key pair is encrypted.

Schannel credentials are X.509 certificates. Public and private key information from certificates is used to authenticate the server and optionally, the client.

BOOL CryptImportKey(
HCRYPTPROV hProv,
const BYTE *pbData,
DWORD dwDataLen,
HCRYPTKEY hPubKey,
DWORD dwFlags,
HCRYPTKEY *phKey
);

The CryptEncrypt function encrypts data. The algorithm used to encrypt the data is designated by the key held by the CSP module and is referenced by the hKey parameter.

BOOL CryptEncrypt(
HCRYPTKEY hKey,
HCRYPTHASH hHash,
BOOL Final,
DWORD dwFlags,
BYTE *pbData,
DWORD *pdwDataLen,
DWORD dwBufLen
);

The CryptDuplicateKey function makes an exact copy of a key and the state of the key.

BOOL CryptDuplicateKey(
HCRYPTKEY hKey,
DWORD *pdwReserved,
DWORD dwFlags,
HCRYPTKEY *phKey
);

The CryptDestroyKey function releases the handle referenced by the hKey parameter. After a key handle has been released, it is no longer valid and cannot be used again.

BOOL CryptDestroyKey(
HCRYPTKEY hKey
);

A bit more about this Restart Manager thing….

The Restart Manager stops applications in the following order, and after the applications have been updated, restarts applications that have been registered for restart in the reverse order.

  1. GUI applications
  2. Console applications
  3. Windows services
  4. Windows explorer

Restart Manager shuts down application or services only if the caller has permission to do so. Note that shutdown across sessions is not supported.

RmStartSession function

Starts a new Restart Manager session. A maximum of 64 Restart Manager sessions per user session can be open on the system at the same time. When this function starts a session, it returns a session handle and session key that can be used in subsequent calls to the Restart Manager API.

RmRegisterResources function

Registers resources to a Restart Manager session. The Restart Manager uses the list of resources registered with the session to determine which applications and services must be shut down and restarted. Resources can be identified by filenames, service short names, or RM_UNIQUE_PROCESS structures that describe running applications. The RmRegisterResources function can be used by a primary or secondary installer.

RmShutdown function

Initiates the shutdown of applications. This function can only be called from the installer that started the Restart Manager session using the RmStartSession function.

This malware also pings the local network to see if there are more nodes that can be encrypted:

The IcmpCreateFile function opens a handle on which IPv4 ICMP echo requests can be issued.

The IcmpSendEcho function sends an IPv4 ICMP echo request and returns any echo response replies. The call returns when the time-out has expired or the reply buffer is filled.

Closing notes

MedusaLocker has been more active in the recent months in the ransomware scene. It was in news recently where it was used in an attack against Channel 9 in Australia. Most ransomware follow the rather simple encryption routine that all Windows systems provide and every now then they implement some new features that have a more drastic overall effect on the victims. Using the restart manager is not new, other ransomware has used this technique in the past. I’ll keep tabs on this threat and publish any new defence techniques that can be used in the future versions of this malware.

References: MSDN

Sample hash: 0f3bc144689b4ba5a96b87f8ada895b0c7a283e72aa9c533d63d6959138ca531