Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Solutions and Protections against Medusa Ransomware

    • Updated:
    • 17 Dec 2020
    • Product/Version:
    • Apex One 2019
    • Deep Discovery Email Inspector 3.5
    • Deep Discovery Inspector 5.5
    • Deep Security 12.0
    • InterScan Messaging Security Suite 9.1
    • OfficeScan XG
    • ScanMail for Exchange 14.0
    • Worry-Free Business Security Advanced 10.0
    • Worry-Free Business Security Standard 10.0
    • Platform:
Summary

MedusaLocker Ransomware was first seen in September 2019 originating from SPAM and targeting Windows machines. One interesting behavior of this malware is booting up in safe mode before execution and file encryption. It also uses BAT file and PowerShell depending on the variant. Usually, the infected machine will encounter an error when booting up since the latest variant also changes the extension of Bootmgr appending "inprocess" extension.

Behaviour

  • Deletes Shadow Volume Copy and Backup
  • Maintains persistence on the targeted machine
  • Disables recovery mode
  • Renames bootmgr that prevents machine from booting up normally
  • Terminates processes
  • Stops services
  • Creates Mutex
  • Boots in safe mode

Capabilities

  • File Encryption
  • Disabling usage capability

Impact

  • Data loss - loss of important files, documents and other data upon encryption
  • Financial loss - users are asked to pay in order to decrypt files that were affected

Infection Routine

Below is the current infection flow based on available data and research regarding other variants/incidents related to MedusaLocker.

Details
Public

Available Solutions

File Reputation

Detection/Policy/RulesPattern Branch/VersionRelease Date
Ransom.Win32.MEDUSALOCKER.APattern available in OPR 16.411.00Dec 13, 2020
Ransom.Win64.MEDUSALOCKER.AAPattern available in OPR 16.411.00Dec 13, 2020
Trojan.BAT.MEDUSALOCKER.AAPattern available om OPR 16.416.05Dec 13, 2020
Ransom.Win32.MEDUSALOCKER.H.notePattern available om OPR 16.410Dec 13, 2020
Trojan.PS1.COBACIS.APattern available om OPR 16.410Dec 13, 2020

Predictive Machine Learning

DetectionPattern Branch/Version
Troj.Win32.TRX.XXPE50FFF032In-the-Cloud
Troj.Win32.TRX.XXPE50FFF039In-the-Cloud

Behavior Monitoring

Policy IDPattern Branch/Version
RAN4056T – Generic DEL Shadow Copy commandsBehavior Monitoring OPR 1.907

Sandbox Solution

Detection NamePattern Branch/Version
VAN_RANSOMWARESandbox Behavior

Solution Map - What should customers do?

TREND MICRO SOLUTIONSMAJOR PRODUCTSLATEST VERSIONSVIRUS PATTERNANTISPAM PATTERNNETWORK PATTERNBEHAVIOR MONITORINGPREDICTIVE MACHINE LEARNINGWEB REPUTATION
Endpoint SecurityApexOne2019Update pattern via web consoleNot ApplicableUpdate pattern via web consoleEnable Behavior Monitoring and update pattern via web consoleEnable Predictive Machine LearningEnable Web Reputation Service and update pattern via web console
OfficeScanXG (12.0)Not Applicable
Worry-Free Business SecurityStandard (10.0)
Advanced (10.0)Update pattern via web console
Hybrid Cloud SecurityDeep Security12.0Update pattern via web consoleNot ApplicableUpdate pattern via web consoleEnable Behavior Monitoring and update pattern via web consoleEnable Predictive Machine LearningEnable Web Reputation Service and update pattern via web console
Email and Gateway SecurityDeep Discovery Email Inspector3.5Update pattern via web consoleUpdate pattern via web consoleUpdate pattern via web consoleNot ApplicableNot ApplicableEnable Web Reputation Service and update pattern via web console
InterScan Messaging Security9.1Not Applicable
InterScan Web Security6.5
ScanMail for Microsoft Exchange14.0
Network SecurityDeep Discovery Inspector5.5Update pattern via web consoleNot ApplicableUpdate pattern via web consoleNot ApplicableNot ApplicableEnable Web Reputation Service and update pattern via web console

Recommendation

Threat Report

Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000283372
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.