Full Report
MedusaLocker3/FarAttack Ransomware (.farattack, .itlock*, .busavelock*) Support - posted in Ransomware Help & Tech Support: The MedusaLocker gang now uses MedusaLocker3 (FarAttack) which is an updated version of their code. Threat actors using MedusaLocker3 ransomware are also known to deploy the GlobeImposter 2.0 ransomware along side the MedusaLocker payload...they use the exact same extension (.savelock**, .busavelock**, and .itlock**) for both malware...
Analysis Summary
# Tool/Technique: MedusaLocker3 (FarAttack)
## Overview
MedusaLocker3, also referred to as "FarAttack," is an evolved version of the MedusaLocker ransomware family. It represents a significant shift in the group's development process, as the code has been rewritten (notably using the Rust programming language). It is frequently deployed in coordinated attacks alongside GlobeImposter 2.0, often sharing the same file extensions to complicate recovery and identification efforts.
## Technical Details
- **Type:** Malware family (Ransomware)
- **Platform:** Windows
- **Capabilities:** High-speed file encryption, multi-payload deployment, modular code structure.
- **First Seen:** Approximately January 2022 (per id-ransomware reports)
## MITRE ATT&CK Mapping
- **[TA0002 - Execution]**
- [T1204.002 - User Execution: Malicious File]
- **[TA0005 - Defense Evasion]**
- [T1027 - Obfuscated Files or Information]
- **[TA0040 - Impact]**
- [T1486 - Data Encrypted for Impact]
- [T1490 - Inhibit System Recovery]
## Functionality
### Core Capabilities
- **Rust-Based Architecture:** The transition to the Rust programming language provides the malware with inherent memory safety and high performance, making it harder to analyze compared to traditional C++ variants.
- **File Encryption:** Encrypts user data and appends specific target extensions (e.g., `.farattack`, `.itlock`).
- **Data Footers:** Appends a specific data structure to the end of encrypted files, which serves as the primary method for distinguishing MedusaLocker3 from GlobeImposter 2.0.
### Advanced Features
- **Concurrent Deployment:** Capability to be run simultaneously with GlobeImposter 2.0.
- **Shared Extension Masking:** Uses the same file extensions as other ransomware families (`.savelock`, `.busavelock`, `.itlock`) in the same attack campaign to confuse incident responders and automated decryption tools.
## Indicators of Compromise
- **File Extensions:**
- `.farattack`
- `.itlock` (plus variations with numbers)
- `.busavelock` (plus variations with numbers)
- `.savelock`
- **File Names:** Typically `[original_filename].[extension]` or `[original_filename].[ID].[extension]`
- **Behavioral Indicators:**
- Massive file renaming operations.
- Termination of database services and security software processes prior to encryption.
- Deletion of Shadow Copies (`vssadmin.exe delete shadows /all /quiet`).
## Associated Threat Actors
- **MedusaLocker Gang** (The primary developers and operators).
- Shared TTPs suggest collaboration or overlapping affiliates with **GlobeImposter** operators.
## Detection Methods
- **Signature-based detection:** Monitoring for the "FarAttack" string or specific Rust-compiled binaries.
- **Behavioral detection:** Identifying rapid file encryption patterns and the execution of commands aimed at inhibiting system recovery (VSS deletion).
- **Footer Analysis:** Manual or automated inspection of the end-of-file (EOF) binary structure to identify the specific MedusaLocker3 signature.
## Mitigation Strategies
- **Prevention measures:** Implementation of robust RDP security (MFA, account lockout policies) as this is a common entry vector for these groups.
- **Hardening recommendations:** Disable administrative shares (C$, Admin$) where not required and implement the principle of least privilege.
- **Data Protection:** Maintain offline, immutable backups that are not accessible from the primary production network.
## Related Tools/Techniques
- **GlobeImposter 2.0:** Frequently deployed alongside MedusaLocker3.
- **MedusaLocker (Original):** The predecessor version of the malware.
- **Rust-based Malware:** Reflects a growing trend in ransomware development (similar to BlackCat/ALPHV).