A MedusaLocker ransomware variant called “BabyLockerKZ” is being spread by a threat actor using a custom toolkit known as “paid_memes,” according to research published by Cisco Talos on Thursday.
MedusaLocker ransomware first appeared around September 2019 and uses a combination of AES and RSA-2048 to encrypt victims’ files. Threat actors using MedusaLocker have been known to exploit vulnerable configurations of Microsoft Remote Desktop Protocol for initial network access and primarily targeted healthcare as of early 2023.
The BabyLockerKZ variant was first seen in late 2023 and uses the file extension “.hazard” for encrypted files. The name BabyLockerKZ comes from the name of the variant’s autorun key, which is unique to this MedusaLocker variant.
The Cisco Talos researchers believe BabyLockerKZ to be the product of an unnamed, financially motivated threat actor that has been active since at least late 2022 and is known for its use of a toolset that have a program database (PDB) path containing the string “paid_memes.”
The “paid_memes” toolkit mostly includes wrappers around popular, publicly available tools such as the credential-dumping Mimikatz tool, the anti-virus (AV) and endpoint detection and response (EDR) disabling HRSword_v5.0.1.1.rar, the network-scanning tool Advanced_Port_Scanner_2.5.3869 and process monitoring tool Processhacker.
However, the threat actor also uses more novel tools that help to streamline and automate interactions between other tools as well as provide a graphical user interface (GUI) for the malware. For example, the tool known as “Checker” bundles Remote Desktop Plus, PSEXEC, Mimikatz and scripts based on the open-source Invoke-TheHash tool.
Checker can be used to scan IPs for valid credentials, import data from hosts and tools, decrypt hashes and store discovered credentials in a database using a simple GUI for convenience, according to Cisco Talos. The attacker typical stores the paid_memes tools, including Checker, in the Music, Pictures or Documents user folders on the victim’s machine.
The BabyLockerKZ variant is highly similar to other version of MedusaLocker and uses the same chat and leak sites, the researchers found but differs in its use of the BabyLockerKZ run key, PAIDMEMES public and private keys, lack of the “MDSLK” registry key and lack of the {8761ABBD-7F85-42EE-B272-A76179687C63} mutex found in other variants.
The threat actor itself seems to target organizations opportunistically, often compromising more than 100 victims per month around the globe, according to Cisco Talos telemetry. The researchers say the threat actor’s activity is similar to what one would see from a financially-motivated attacker such as an initial access broker or ransomware affiliate.
A full list of tactics, techniques & procedures (TTPs) and indicators of compromise (IoC) for BabyLockerKZ and paid_memes is provided in the Cisco Talos blog post.
