Solutions and Protections against Medusa Ransomware

Product / Version includes:

Deep Discovery Email Inspector3.5 , OfficeScanXG , Apex One2019 , InterScan Messaging Security Suite9.1 , Worry-Free Business Security Advanced10.0 , Worry-Free Business Security Standard10.0 , ScanMail for Exchange14.0 , Deep Discovery Inspector5.5 , Deep Security12.0

Last updated: 2021/10/10

Solution ID: KA-0011275

Category: Remove a Malware / Virus

Summary

MedusaLocker Ransomware was first seen in September 2019 originating from SPAM and targeting Windows machines. One interesting behavior of this malware is booting up in safe mode before execution and file encryption. It also uses BAT file and PowerShell depending on the variant. Usually, the infected machine will encounter an error when booting up since the latest variant also changes the extension of Bootmgr appending "inprocess" extension.

Behaviour

Deletes Shadow Volume Copy and Backup
Maintains persistence on the targeted machine
Disables recovery mode
Renames bootmgr that prevents machine from booting up normally
Terminates processes
Stops services
Creates Mutex
Boots in safe mode

Capabilities

File Encryption
Disabling usage capability

Impact

Data loss - loss of important files, documents and other data upon encryption
Financial loss - users are asked to pay in order to decrypt files that were affected

Infection Routine

Below is the current infection flow based on available data and research regarding other variants/incidents related to MedusaLocker.

Available Solutions

File Reputation

Detection/Policy/Rules	Pattern Branch/Version	Release Date
Ransom.Win32.MEDUSALOCKER.A	Pattern available in OPR 16.411.00	Dec 13, 2020
Ransom.Win64.MEDUSALOCKER.AA	Pattern available in OPR 16.411.00	Dec 13, 2020
Trojan.BAT.MEDUSALOCKER.AA	Pattern available om OPR 16.416.05	Dec 13, 2020
Ransom.Win32.MEDUSALOCKER.H.note	Pattern available om OPR 16.410	Dec 13, 2020
Trojan.PS1.COBACIS.A	Pattern available om OPR 16.410	Dec 13, 2020

Predictive Machine Learning

Detection	Pattern Branch/Version
Troj.Win32.TRX.XXPE50FFF032	In-the-Cloud
Troj.Win32.TRX.XXPE50FFF039	In-the-Cloud

Behavior Monitoring

Policy ID	Pattern Branch/Version
RAN4056T – Generic DEL Shadow Copy commands	Behavior Monitoring OPR 1.907

Sandbox Solution

Detection Name	Pattern Branch/Version
VAN_RANSOMWARE	Sandbox Behavior

Solution Map - What should customers do?

TREND MICRO SOLUTIONS	MAJOR PRODUCTS	LATEST VERSIONS	VIRUS PATTERN	ANTISPAM PATTERN	NETWORK PATTERN	BEHAVIOR MONITORING	PREDICTIVE MACHINE LEARNING	WEB REPUTATION
Endpoint Security	ApexOne	2019	Update pattern via web console	Not Applicable	Update pattern via web console	Enable Behavior Monitoring and update pattern via web console	Enable Predictive Machine Learning	Enable Web Reputation Service and update pattern via web console
	OfficeScan	XG (12.0)			Not Applicable
	Worry-Free Business Security	Standard (10.0)
	Worry-Free Business Security	Advanced (10.0)		Update pattern via web console
Hybrid Cloud Security	Deep Security	12.0	Update pattern via web console	Not Applicable	Update pattern via web console	Enable Behavior Monitoring and update pattern via web console	Enable Predictive Machine Learning	Enable Web Reputation Service and update pattern via web console
Email and Gateway Security	Deep Discovery Email Inspector	3.5	Update pattern via web console	Update pattern via web console	Update pattern via web console	Not Applicable	Not Applicable	Enable Web Reputation Service and update pattern via web console
	InterScan Messaging Security	9.1			Not Applicable
	InterScan Web Security	6.5
	ScanMail for Microsoft Exchange	14.0
Network Security	Deep Discovery Inspector	5.5	Update pattern via web console	Not Applicable	Update pattern via web console	Not Applicable	Not Applicable	Enable Web Reputation Service and update pattern via web console

Recommendation

Make sure to always use the latest pattern available to detect the old and new variants of Medusa Ransomware. Please refer to the KB article on Recommendations on how to best protect your network using Trend Micro products.
Make sure to implement the ransomware protection features and best practices. Please refer to the KB article on Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products.
You may also check the article on Submitting suspicious or undetected virus for file analysis to Technical Support.
For support assistance, please contact Trend Micro Technical Support.

Threat Report

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Solutions and Protections against Medusa Ransomware

Solutions and Protections against Medusa Ransomware

Product / Version includes:

Summary