Exclusive An extortionist armed with a new variant of MedusaLocker ransomware has infected more than 100 organizations a month since at least 2022, according to Cisco Talos, which recently discovered a "substantial" Windows credential data dump that sheds light on the criminal and their victims.
The miscreant, whom Talos has dubbed "PaidMemes," uses a recent MedusaLocker variant called "BabyLockerKZ," and inserts the words "paid_memes" into the malware plus other tools used during the attacks.
In research published today and shared exclusively with The Register, the threat intel group asserts, "with medium confidence," that PaidMemes is financially motivated and working as an initial access broker or ransomware cartel affiliate, attacking a ton of businesses arond the globe for at least the last two years.
The extortionist's earlier victims in October 2022 were primarily in Europe – France, Germany, Spain, and Italy made up the bulk of their activity.
Then, during the second quarter of 2023, the attack volume per month nearly doubled, and the focus shifted to Central and South America, with Brazil being the most heavily targeted, followed by Mexico, Argentina, and Colombia.
'Opportunistic' extortionist attacks across industries, regions
Victims have also been located in the US, UK, Hong Kong, South Korea, Australia, and Japan, we're told. Talos isn't revealing the exact numbers per country, other than to say that PaidMemes infected around 200 unique IPs per month until the first quarter of 2024. At that point, the attacks decreased.
"We're not done reviewing the data," Talos head of outreach Nick Biasini told The Register in an exclusive interview. "We want to make sure that we're not exposing anybody that could potentially be a victim – that's a big concern of ours."
These victims span multiple industries, with the attacker seeming to prey heavily on small and medium-sized businesses, according to Biasini, who said the dumped dataset suggests that "at least some portion of the ransomware landscape is incredibly opportunistic."
In one instance, the attacker broke into a company with a single employee and demanded a ransom payment.
"They're not going after specific targets," he added. "This is very opportunistic."
The attacker isn't pocketing multimillion-dollar payouts either. "These are $30,000, $40,000, $50,000 payouts that they are getting from these small businesses," Biasini said.
While previous MedusaLocker affiliates have broken into victim environments using vulnerable Remote Desktop Protocol (RDP) configurations and phishing campaigns, it's unclear how PaidMemes gains access to the compromised orgs.
"We have absolutely no visibility into that. All we have is the credentials that we saw dumped that were coming out of the tooling that they were using," Biasini said. "They were running this tool on systems that they compromised, and that tool would gather credentials and dump it out to a remote server that was open."
PaidMemes' tools of the trade
The tools that the attacker uses, we're told, are mostly wrappers around publicly available network scanners, malware to disable antivirus or endpoint detection and response software, Mimikatz to dump Windows user credentials from memory, and other freely available code.
- Six ransomware gangs behind over 50% of 2024 attacks
- Evil Corp's deep ties with Russia and NATO member attacks exposed
- Despite Russia warnings, Western critical infrastructure remains unprepared
- Ransomware forces hospital to turn away ambulances
One of these tools, "Checker," bundles several others such as Remote Desktop Plus, PSEXEC, and Mimikatz, along with a GUI for credential management to help with lateral movement.
There's another wrapper called Mimik that combines Mimikatz and rclone to steal credentials and upload them to an attacker-controlled server.
"This is something that you would typically see out of sysadmins," Biasini said. "If they're doing activities, they're bringing scripts, they're bringing these packed-together, stitched-together things that allow them to do their job more quickly and effectively."
So, like sysadmins, but "with a malicious slant: to gain access, or the data that they're trying to get out of these networks."
The criminal also tends to use compromised computers' Music, Pictures or Documents folders to store the attack tools.
In one of the BabyLockerKZ attacks, the Checker tool had a PDB path with the string "paid_memes," and that string allowed Talos to identify other files on VirusTotal, which were primarily the ransomware samples.
New MedusaLocker variant
The main payload, of course, is the data-encrypting malware, which Talos believes has been around since 2023. Cynet researchers last year dubbed this MedusaLocker variant "Hazard," and mention a BabyLockerKZ registry key in their analysis.
More recently, Whitehat revealed PAIDMEMES PUBLIC and PRIVATE registry keys on a MedusaLocker sample in May.
Note, MedusaLocker is not the same malware family as Medusa ransomware.
When it comes to protecting against ransomware crews, the challenge is especially "daunting" to small and medium-sized businesses, Biasini said. "MFA and SSO are the kind of things that help deter this type of access, but the cost associated with deploying this type of technology is extraordinarily high."
Plus, it's unlikely that these organizations have cyber insurance that will pay the extortion demands.
"I would guess that small and medium businesses are going to make a bigger and bigger chunk of ransomware activity going forward," he opined. "The larger organizations are getting better at detecting ransomware, they're getting better at defending themselves, these small and medium businesses are being left behind, and the ransomware actors still want a payday." ®