Illustration: JMiks | Shutterstock
A new wave of ransomware attacks has been plaguing over 100 small and medium-sized businesses globally. An extortionist is leveraging a variant of MedusaLocker ransomware known as ‘BabyLockerKZ.’ The threat actor, dubbed ‘PaidMemes,’ has infected over 100 organisations per month since at least 2022.
PaidMemes is believed to be financially motivated, either operating as a ransomware cartel affiliate or an initial access broker selling access to compromised systems, reports The Register.
While PaidMemes initially focused on France, Germany, Spain, and Italy, the extortionists later shifted their focus to Brazil, Mexico, Argentina, and Colombia. Researchers have also located victims in the U.S., UK, Hong Kong, South Korea, Australia, and Japan.
Interestingly, despite the widespread impact, PaidMemes isn’t seeking a multimillion-dollar ransom but demanding smaller payments of $30,000 to $50,000. This strategy is also dangerous as it preys on those businesses that lack considerable resources.
Researchers have described the attacks as highly opportunistic, noting that PaidMemes often targets small businesses and single-employee companies. “They are not going after specific targets,” says Nick Biasini, head of outreach of Talos.
While previous MedusaLocker campaigns have used vulnerabilities in Remote Desktop Protocol (RDP) configurations and phishing tactics, how PaidMemes gains access to victims’ systems remains uncertain.
Talos’ analysis points to a dump of compromised Windows credentials collected by tools that the threat actor deployed on infected networks. One key tool, known as ‘Checker,’ bundles multiple programs, such as Remote Desktop Plus and Mimikatz, which allow the attacker to gather and manage credentials to facilitate lateral movement within networks.
PaidMemes’ toolkit resembles a system administrator’s, albeit with malicious intent. Tools used in the attacks include Mimikatz to add extra credentials from memory and other freely available code to disable antivirus software and other security systems.
The attacker also utilises file directories, such as Music or Documents folders on compromised computers, to store malware tools and manage their campaigns efficiently.
The main payload in these attacks, BabyLockerKZ, is a recent MedusaLocker variant, first identified by Cynet researchers in 2023. The ransomware encrypts victims’ data and demands a ransom for decryption keys.
Although BabyLockerKZ is part of the MedusaLocker ransomware family, researchers emphasise that it is distinct from Medusa ransomware, another prominent strain in the cybercriminals ecosystem.
Researchers have urged organisations to implement robust security measures, such as multi-factor authentication (MFA) and single sign-on (SSO). As larger organisations strengthen their defences, ransomware gangs are expected to continue shifting focus toward smaller targets that are less capable of defending themselves.
In the News: Harvard students create smart glasses with facial recognition, sparking privacy concerns
