Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
The well-known virus has received a new mask and has become even more dangerous.
Cisco Talos has discovered new activity from cybercriminals distributing a modified version of the MedusaLocker ransomware. Experts found that the group operates globally, but a greater number of attacks were recorded in Europe and South America.
The new variant of MedusaLocker is called "BabyLockerKZ". A notable feature of this malware is the presence of the words "paid_memes" in the compilation path, which are also found in other tools used by these attackers. It was this factor that allowed Cisco Talos to link the attacks and study the attackers' activities in detail, assessing their tactics and tools.
BabyLockerKZ differs from the classic version of MedusaLocker in several features, including a modified autorun and a set of additional keys stored in the registry. This indicates the high level of professionalism of the group and the targeted nature of the attacks.
The main toolkit of attackers consists of both publicly available utilities and specialized tools created to steal data and move around the network. Some utilities, such as "Checker", are used to find vulnerabilities in the system, allowing attackers to quickly spread across the victim's network.
According to experts, the motives of the group are exclusively financial in nature. Attackers can act as independent criminals or be part of a large extortion cartel. Since 2022, the group has been actively attacking various organizations. In the first half of 2023, the volume of their attacks doubled, but then decreased again in early 2024.
In their cyber operations, the attackers actively use a number of tools, including HRSword to disable antivirus software, Advanced Port Scanner to scan the network, as well as programs such as ProcessHacker and Mimikatz. Many of these tools are actively used to attack credentials and spread throughout the system.
The close use of the same tools in combination with the constant change of attack regions indicates the high organization and effectiveness of cybercriminals' actions. Companies at risk are advised to strengthen security monitoring and apply specialized solutions to identify and block such threats in a timely manner.
Source
Cisco Talos has discovered new activity from cybercriminals distributing a modified version of the MedusaLocker ransomware. Experts found that the group operates globally, but a greater number of attacks were recorded in Europe and South America.
The new variant of MedusaLocker is called "BabyLockerKZ". A notable feature of this malware is the presence of the words "paid_memes" in the compilation path, which are also found in other tools used by these attackers. It was this factor that allowed Cisco Talos to link the attacks and study the attackers' activities in detail, assessing their tactics and tools.
BabyLockerKZ differs from the classic version of MedusaLocker in several features, including a modified autorun and a set of additional keys stored in the registry. This indicates the high level of professionalism of the group and the targeted nature of the attacks.
The main toolkit of attackers consists of both publicly available utilities and specialized tools created to steal data and move around the network. Some utilities, such as "Checker", are used to find vulnerabilities in the system, allowing attackers to quickly spread across the victim's network.
According to experts, the motives of the group are exclusively financial in nature. Attackers can act as independent criminals or be part of a large extortion cartel. Since 2022, the group has been actively attacking various organizations. In the first half of 2023, the volume of their attacks doubled, but then decreased again in early 2024.
In their cyber operations, the attackers actively use a number of tools, including HRSword to disable antivirus software, Advanced Port Scanner to scan the network, as well as programs such as ProcessHacker and Mimikatz. Many of these tools are actively used to attack credentials and spread throughout the system.
The close use of the same tools in combination with the constant change of attack regions indicates the high organization and effectiveness of cybercriminals' actions. Companies at risk are advised to strengthen security monitoring and apply specialized solutions to identify and block such threats in a timely manner.
Source
