BabyLockerKZ: New MedusaLocker Variant Spreading Globally
Cisco Talos has uncovered new activity from cybercriminals propagating a modified variant of the MedusaLocker ransomware. Experts have determined that the group operates globally, with a higher concentration of attacks observed in Europe and South America.
This new MedusaLocker variant, dubbed “BabyLockerKZ,” exhibits a distinctive characteristic: the presence of the phrase “paid_memes” within its compilation path. This phrase is also found in other tools employed by these malicious actors, a factor that enabled Cisco Talos to link the attacks, conduct an in-depth analysis of the attackers’ activities, and assess their tactics and tools.
BabyLockerKZ deviates from the classic MedusaLocker variant in several key aspects, including modified autorun functionality and an additional set of keys stored within the registry. This suggests a high degree of professional sophistication and a targeted nature to the attacks.
The attackers’ arsenal comprises both publicly available utilities and specialized tools designed for data exfiltration and lateral network movement. Certain utilities, such as “Checker,” are employed to identify system vulnerabilities, facilitating rapid propagation across the victim’s network.
Experts assess the group’s motives to be purely financial. The perpetrators may operate as independent criminals or as part of a larger ransomware cartel. Since 2022, the group has actively targeted various organizations. Their attack volume surged in the first half of 2023, before declining again in early 2024.
These cyber operations involve the active utilization of a range of tools, including HRSword for disabling antivirus software, Advanced Port Scanner for network reconnaissance, and programs like ProcessHacker and Mimikatz. Many of these tools are instrumental in credential theft and subsequent lateral movement within the compromised system.
The consistent reliance on these tools, coupled with the continuous shifting of attack regions, points to a high level of organization and operational efficiency within this cybercriminal group. Companies within the targeted zones are advised to bolster their security monitoring and implement specialized solutions for the timely detection and mitigation of such threats.
