Today, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of the Treasury published a joint Cybersecurity Advisory (CSA) to provide information on the MedusaLocker ransomware. As noted in the CSA, MedusaLocker threat actors rely predominantly on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks.

The CSA provides further technical details of MedusaLocker, to include noting threat actors also frequently use phishing and spam campaigns – directly attaching ransomware to the email – as initial intrusion vectors. The CSA provides an overview of how MedusaLocker operates, indicators of compromise, IP addresses, the MITRE ATT&ACK techniques used by the threat actors, and more. It includes a list of mitigation actions, resources, and reporting information. Among the mitigation actions, the CSA recommends organizations implement the following today: 1) prioritize remediating known exploited vulnerabilities; 2) train users to recognize and report phishing attempts; and 3) enable and enforce multi-factor authentication. To report an incident or request technical assistance, contact CISA at cisaservicedesk@cisa.dhs.gov or 888-282-0870 or the FBI through a local field office.