Marlock Ransomware

Marlock Ransomware

Introduction: Marlock ransomware was first identified in the wild in September 2021 and is considered an evolution of MedusaLocker, sharing functional similarities with Medusa and Huylock. This variant practices double extortion, demanding payment for a decryptor and non-release of stolen data.

Targets: Marlock ransomware targets a diverse range of industries, including healthcare, finance, manufacturing, and government agencies.

Propagation: Initial access and delivery methods may vary across campaigns. Marlock actors are known to exploit vulnerabilities in ScreenConnect and Remote Desktop Protocol (RDP) for their initial foothold.

Technical Details:

  • Evolution from MedusaLocker:
    • Marlock emerged in September 2021, evolving from the MedusaLocker family.
    • It functions similarly to recent samples of Medusa and Huylock ransomware.
  • Self-Spreading and Data Deletion:
    • Marlock is capable of self-spreading to mapped drives and deletes Volume Shadow Copies through WMIC to hinder system recovery.
    • The ransomware terminates processes that might interfere with the encryption process.
  • Ransom Note and Communication:
    • Infected victims are instructed to connect to the attacker’s payment portal (.onion) through the TOR network.
    • Additional email addresses are provided for victim support.

Detection Strategies: EDR is equipped to identify and prevent any malicious activities and items associated with Marlock Ransomware.

For those without EDR , a multi-layered detection approach is recommended:

  1. Security Tools:
    • Employ anti-malware software or other security tools capable of detecting and blocking known ransomware variants.
  2. Network Traffic Monitoring:
    • Regularly monitor network traffic for indicators of compromise, such as unusual patterns or communication with known command-and-control servers.
  3. Security Audits:
    • Conduct periodic security audits to identify vulnerabilities and ensure security controls are functioning effectively.
  4. Education & Training:
    • Educate and train employees on cybersecurity best practices to recognize and report suspicious emails and threats.
  5. Backup & Recovery Planning:
    • Implement a robust backup and recovery plan to restore data in the event of an attack.

Mitigation Measures: For EDR customers, the EDR can restore systems to their original state using the Repair or Rollback feature.

For those without EDR , alongside detection strategies, consider the following mitigation steps:

  1. Employee Education:
    • Educate employees on ransomware risks and train them to identify and avoid phishing emails and malicious attachments.
  2. Strong Passwords:
    • Implement strong, unique passwords for all user accounts, regularly updating and rotating them.
  3. Multi-Factor Authentication (MFA):
    • Enable MFA for user accounts to add an extra layer of security.
  4. System Updates and Patching:
    • Regularly update and patch systems to fix vulnerabilities and prevent exploitation.
  5. Backup and Disaster Recovery (BDR):
    • Establish and regularly test backup and disaster recovery processes to ensure quick data restoration.

A proactive and vigilant security approach is vital to effectively mitigate the risk of Marlock Ransomware attacks.

 

Back

Copyright © 2024 RASOC all rights reserved