Back

Threat actor believed to be spreading new MedusaLocker variant since 2022

Oct. 4, 2024, 12:30 p.m.

Tags

iab
ransomware
credential theft
lateral movement
financially motivated
2024-10-04
babylockerkz
medusalocker

External References

https://blog.talosintelligence.com/

https://otx.alienvault.com/

Description

A financially motivated threat actor has been active since 2022, delivering a MedusaLocker ransomware variant called 'BabyLockerKZ'. The group targets organizations worldwide, with a focus shift from EU countries to South American countries in mid-2023. The actor uses a combination of publicly known attack tools and custom-built software, including a lateral movement tool named 'checker'. The BabyLockerKZ variant differs from the original MedusaLocker in several aspects, such as registry keys and encryption methods. The group's aggressive tactics and high volume of attacks suggest it may be an Initial Access Broker or ransomware affiliate.

Date

Published Created Modified
Oct. 4, 2024, 10:06 a.m. Oct. 4, 2024, 10:06 a.m. Oct. 4, 2024, 12:30 p.m.

Indicators

dc4840a0992b218cbedd5a7ac5c711cb98f1f9e78a8ffdea37c694061dfd34c6

c0c726a23111c220d022fcd01a85f9788249e42baece03f83b6059170453b801

d00f7cf6af68ba832b9d364f28411346cfe66fd3b1f5bcac318766add29ff7f0

8edbb1944d94ff91ee917c31590b6d1d5690a52fc153e44355ee9749aa0f4625

9f066975f1e02b29c7c635280f405c59704ce4f4e06b04e9ac8a7eac22acd3c7

759b96f44806578cc0836a3a2bf11c8bc553effac72f8d28b94aec78b66be906

63eb3d2886d9cb880c9b0d54b94f3e149b3b5b6215a33a0ef63588a09dcd4499

5d5d639fdfbf632bb7d9f1bb28731217d09d36078ab5e594baf2a5a41267a5d2

33a8024395c56fab4564b9baef1645e505e00b0b36bff6fad3aedb666022599a

2eddfe711c32ef1668e14a10d00452c83c29e394e17c41f491550a1583c1bcac

1e9246e6a35731143368eaa0ade4f3cf576d6b22e6090152f6e94f1fa3070651

Attack Patterns

BabyLockerKZ

MedusaLocker

T1490

T1110

T1021

T1486

T1562

T1190

T1133

T1078

T1003

Additional Informations

Colombia

Argentina

Spain

Italy

France

Germany

Mexico

Brazil