概要
MedusaLocker勒索病毒首次出現在2019年9月,主要來自垃圾郵件,並以Windows機器為目標。這種惡意軟體的行為是在執行和文件加密之前以安全模式啟動。它還使用BAT文件和PowerShell,具體取決於各種變種。通常情況下,受感染的機器在啟動時將會遇到錯誤,因為最新的變種還擴展了Bootmgr並附加了 "inprocess "。
行為
- 刪除陰影複製和備份
- 確保在目標機器上保持持久性
- 禁用復原模式
- 重新命名bootmgr 防止機器正常啟動
- 終止程序
- 停止服務
- 創建Mutex
- 安全模式下啟動
能力
- 檔案加密
- 停用使用率功能
影響
- 資料遺失 - 加密後失去重要文件、檔案和其他資料
- 經濟損失 - 用戶被要求付費以解密受影響的文件
詳情
Available Solutions
檔案信譽
| Detection/Policy/Rules | Pattern Branch/Version | Release Date |
|---|---|---|
| Ransom.Win32.MEDUSALOCKER.A | Pattern available in OPR 16.411.00 | Dec 13, 2020 |
| Ransom.Win64.MEDUSALOCKER.AA | Pattern available in OPR 16.411.00 | Dec 13, 2020 |
| Trojan.BAT.MEDUSALOCKER.AA | Pattern available om OPR 16.416.05 | Dec 13, 2020 |
| Ransom.Win32.MEDUSALOCKER.H.note | Pattern available om OPR 16.410 | Dec 13, 2020 |
| Trojan.PS1.COBACIS.A | Pattern available om OPR 16.410 | Dec 13, 2020 |
Predictive Machine Learning
| Detection | Pattern Branch/Version |
|---|---|
| Troj.Win32.TRX.XXPE50FFF032 | In-the-Cloud |
| Troj.Win32.TRX.XXPE50FFF039 | In-the-Cloud |
行為監控
| Policy ID | Pattern Branch/Version |
|---|---|
| RAN4056T – Generic DEL Shadow Copy commands | Behavior Monitoring OPR 1.907 |
Sandbox Solution
| Detection Name | Pattern Branch/Version |
|---|---|
| VAN_RANSOMWARE | Sandbox Behavior |
Solution Map - What should customers do?
| TREND MICRO SOLUTIONS | MAJOR PRODUCTS | LATEST VERSIONS | VIRUS PATTERN | ANTISPAM PATTERN | NETWORK PATTERN | BEHAVIOR MONITORING | PREDICTIVE MACHINE LEARNING | WEB REPUTATION |
|---|---|---|---|---|---|---|---|---|
| Endpoint Security | ApexOne | 2019 | Update pattern via web console | Not Applicable | Update pattern via web console | Enable Behavior Monitoring and update pattern via web console | Enable Predictive Machine Learning | Enable Web Reputation Service and update pattern via web console |
| OfficeScan | XG (12.0) | Not Applicable | ||||||
| Worry-Free Business Security | Standard (10.0) | |||||||
| Advanced (10.0) | Update pattern via web console | |||||||
| Hybrid Cloud Security | Deep Security | 12.0 | Update pattern via web console | Not Applicable | Update pattern via web console | Enable Behavior Monitoring and update pattern via web console | Enable Predictive Machine Learning | Enable Web Reputation Service and update pattern via web console |
| Email and Gateway Security | Deep Discovery Email Inspector | 3.5 | Update pattern via web console | Update pattern via web console | Update pattern via web console | Not Applicable | Not Applicable | Enable Web Reputation Service and update pattern via web console |
| InterScan Messaging Security | 9.1 | Not Applicable | ||||||
| InterScan Web Security | 6.5 | |||||||
| ScanMail for Microsoft Exchange | 14.0 | |||||||
| Network Security | Deep Discovery Inspector | 5.5 | Update pattern via web console | Not Applicable | Update pattern via web console | Not Applicable | Not Applicable | Enable Web Reputation Service and update pattern via web console |
建議
- 請確保使用最新的病毒碼來檢測Medusa Ransomware的新舊變種。請參考KB文章中的 關於如何使用趨勢科技產品保護你的網路.
- 確保執行勒索病毒保護功能和最佳做法。請參考KB文章中的 勒索病毒:使用趨勢科技產品解決方案、最佳實務配置和防護建議。.
- 你也可以查看以下文章 如何提交病毒案件給趨勢科技技術支援部門?.
- 如果需要支援,請聯繫 Trend Micro Technical Support.
Threat Report
