Novel MedusaLocker Variant Threatens Global Organizations, with 100+ Infections Monthly
Published
- New BabyLockerKZ variant of MedusaLocker infiltrates more than one hundred organizations around the world each month.
- The threat actor’s focus moved from Europe to Central and South America in its latest attacks.
- The recent attacks employ credential-stealing and antivirus- and EDR-disabling malware.
A new ransomware variant, "BabyLockerKZ," was identified and attributed to the cybercriminal group PaidMemes. This extortionist has been infecting over 100 organizations globally each month with this MedusaLocker variant since at least 2022, according to the Cisco Talos report..
The operation spans multiple industries, with the focus recently shifting to Central and South America after initially targeting European nations. Ransom demands range from $30,000 to $50,000, amounts that, while not enormous, can severely impact smaller businesses.
The widespread reach of PaidMemes underscores the persistent threat ransomware poses to businesses worldwide. Small and medium-sized enterprises (SMEs) are particularly vulnerable, as these attackers employ opportunistic tactics rather than targeting specific organizations.
While previous MedusaLocker affiliates exploited Remote Desktop Protocol (RDP) vulnerabilities and phishing campaigns, the current methods of initial access by PaidMemes remain unclear.
Once inside, the attackers use publicly available network scanning tools, antivirus, EDR disabling malware, and Mimikatz to extract Windows credentials.
SMEs should ensure that all security protocols, especially around RDP configurations, are robust and up-to-date. Regular cybersecurity training can help employees recognize phishing attempts and other common attack vectors.
The ongoing analysis by Cisco Talos aims to further understand the operations of PaidMemes without compromising any victims.
Mimikatz is a tool commonly used to extract sensitive information, such as passwords and credentials. Recently, the returning hacktivist group Twelve used it, and it is also a favorite of the Scattered Spider ransomware group.