Threat actor believed to be spreading new MedusaLocker variant since 2022

Description

A financially motivated threat actor has been active since 2022, delivering a MedusaLocker ransomware variant called 'BabyLockerKZ'. The group targets organizations worldwide, with a focus shift from EU countries to South American countries in mid-2023. The actor uses a combination of publicly known attack tools and custom-built software, including a lateral movement tool named 'checker'. The BabyLockerKZ variant differs from the original MedusaLocker in several aspects, such as registry keys and encryption methods. The group's aggressive tactics and high volume of attacks suggest it may be an Initial Access Broker or ransomware affiliate.