New MedusaLocker Ransomware Variant: BabyLockerKZ Targets Victims Globally

MedusaLocker ransomware - BabyLockerKZ

Researchers Tiago Pereira and Arnaud Zobec from Cisco Talos recently uncovered a new variant of the MedusaLocker ransomware, dubbed BabyLockerKZ. Active since late 2022, this variant has been silently targeting organizations around the world, causing significant disruptions in Europe and South America. Known for its professional and aggressive approach, the threat actor behind this campaign appears to be financially motivated, likely working as an Initial Access Broker (IAB) or an affiliate of a ransomware cartel.

According to the researchers, BabyLockerKZ has steadily expanded its reach across multiple continents. “In late 2022 and early 2023, most victims were in European countries, but since the first quarter of 2023, the group’s focus shifted toward South American countries,” Pereira and Zobec noted. The group has compromised more than 100 organizations each month, revealing the sheer scale of this campaign.

While the volume of attacks almost doubled in 2023, the group maintained a consistent number of around 200 compromised IP addresses per month until early 2024, when the attack rate began to taper.

The threat actor behind BabyLockerKZ uses a combination of publicly available tools and custom-built software to carry out their attacks. One of the more unique tools employed by the attacker is the “Checker” tool, which bundles several utilities used for lateral movement, credential theft, and process monitoring. The PDB path of the tool includes the humorous string “paid_memes,” which led researchers to identify multiple related samples.

The “Checker” tool is equipped to scan IPs for valid credentials, using protocols like SMB and WMI to perform lateral movement. It combines popular tools such as Mimikatz and Remote Desktop Plus, making it easier for the attacker to automate the attack process.

In terms of evasion, BabyLockerKZ follows a familiar ransomware playbook. It leverages techniques like disabling antivirus and endpoint detection software, using custom scripts stored in inconspicuous folders such as “Music” and “Documents.” This stealthy approach allows the malware to avoid early detection and increases the chances of successful encryption.

Despite its close relationship with MedusaLocker ransomware, BabyLockerKZ exhibits several key differences that distinguish it from its predecessor. For instance, it lacks the {8761ABBD-7F85-42EE-B272-A76179687C63} mutex and the MedusaLocker (MDSLK) registry key. Instead, BabyLockerKZ stores its keys under “PAIDMEMES,” an unusual public and private key set embedded within the Windows Registry.

Interestingly, while these keys exist in both the Windows and Linux versions of BabyLockerKZ, researchers are still unsure about their purpose, as the Linux version doesn’t appear to rely on them.

The attackers behind BabyLockerKZ are opportunistic, exploiting vulnerabilities in organizations across various sectors. While it’s still unclear whether the group is a single entity or an affiliate network, Cisco Talos believes they are financially motivated and likely working as intermediaries for larger ransomware cartels. As of 2024, most victims have been in South American countries like Brazil, Mexico, Argentina, and Colombia.

Related Posts: