ASEC recently made a discovery regarding the active spread of GlobeImposter ransomware. This ransomware is being distributed by the same threat actors who are responsible for MedusaLocker, although the precise means of distribution could not be determined. However, based on the evidence collected from infection logs, it is presumed that the ransomware is being disseminated via RDPs.
Diving into details
- The threat actor typically creates a folder called "skynet work" within the "Music" directory prior to implanting malware into that same location. This consistent tactic has persisted since last year, serving as a notable feature of the attack.
- The MedusaLocker actors install several malware in the compromised system, which includes port scanners, Mimikatz, a network password recovery tool, and a shared folder scanner.
- In some cases, they were observed installing an XMRig CoinMiner, along with the ransomware, to encrypt the systems and mine for cryptocurrency.
- Once they take over the system via RDP, GlobeImposter conducts lateral movement and internal reconnaissance.
Attribution
- The U.S. HHS recently published a report detailing how MedusaLocker ransomware actors have been utilizing RDP to infect systems with ransomware.
- Last year, the CISA shared pertinent information on how the MedusaLocker group has been using RDP as its attack vector.
- It is worth noting that the email and onion addresses identified in the ransom note of the GlobeImposter ransomware are among the addresses listed by the CISA as being used by the MedusaLocker group.
Stay Safe
Security experts suggest users should ensure that RDP is deactivated when not in use, to reduce the number of attack attempts. Moreover, when in use, it is recommended to implement a complex RDP account password and change it regularly to prevent dictionary attacks and brute force.