The financially motivated threat actor known as “PaidMemes” has been active since late 2022, distributing a new variant of the MedusaLocker ransomware [2] [7], dubbed “BabyLockerKZ.” Initially targeting European organizations, the group shifted its focus to Central and South America by mid-2023, with Brazil being the most targeted country [3] [6]. Despite a decrease in overall attack volume by early 2024, the number of victims per month has doubled since early 2023. This text provides a detailed description of the BabyLockerKZ ransomware and its implications.
## Description
A financially motivated threat actor [4] [5] [8] [9] [10], known as “PaidMemes,” has been active since late 2022, distributing a new variant of the MedusaLocker ransomware called “BabyLockerKZ.” This group initially targeted organizations in European countries, particularly France [3] [4] [6], Germany [3] [6], Spain [3] [6], and Italy [3] [6] [10], before shifting its focus to Central and South America by mid-2023. Brazil has emerged as the most targeted country in this region, followed by Mexico [3], Argentina [3], and Colombia [3]. Reports indicate that the group maintains a steady attack volume of approximately 200 unique IPs monthly, although the overall volume of attacks has decreased by early 2024, with a doubling of victims per month noted since early 2023.
BabyLockerKZ shares similarities with the original MedusaLocker but incorporates distinct changes in key management and attack tools [1]. Notably, it lacks a specific mutex ({8761ABBD-7F85-42EE-B272-A76179687C63}) and an MDSLK registry key [7], while featuring a unique autorun key and a set of PAIDMEMES public and private keys stored in the registry. The ransomware employs a lateral movement tool named “Checker,” which automates credential management and facilitates lateral movement within compromised networks. This tool integrates several utilities [6], including Remote Desktop Plus and Mimikatz [3], and is linked to the actor through a unique PDB path containing the string “paid_memes.”
BabyLockerKZ is notable for its distinctive techniques, including the consistent storage of tools in common user folders such as Music, Pictures [3] [6] [8], or Documents [1] [3] [6] [8]. The use of publicly available network scanners, such as HRSword and Advanced Port Scanner [9], allows the attackers to disable security measures and map internal networks [9]. The ransomware utilizes the same chat and leak site URLs as the original MedusaLocker [5], further indicating its reliance on similar infrastructure.
Indicators of Compromise (IOCs) for BabyLockerKZ include specific hashes [7] [10], registry keys [3] [4] [6] [7] [8] [10], and a list of observed file extensions associated with the ransomware [7], such as “crypto125,” “hazard,” and “locked9.” The encryption key used by BabyLockerKZ is “PUTINHUILO1337,” and its mutex is “HOHOL1488.” Further investigation into the PAIDMEMES keys is suggested [7], as their role in the encryption process remains unclear [7].
The challenges of defending against such ransomware attacks are particularly significant for small and medium-sized businesses [6], which often lack the resources for effective cybersecurity measures like multi-factor authentication (MFA) and single sign-on (SSO) [6]. As larger organizations improve their defenses [6], smaller businesses are increasingly becoming targets for ransomware actors seeking financial gain [6]. Additionally, the recent discovery of a significant Windows credential data dump by Cisco Talos provides further insights into the criminal activities and the victims affected by this ransomware variant. Organizations are advised to enhance their defenses against credential theft and lateral movement [1], ensuring that endpoint detection and response (EDR) solutions are robust against these evolving threats [1]. Detection and prevention measures [8] [10], including Cisco Secure Endpoint [8] [10], Cisco Secure Web Appliance [8] [10], and Cisco Secure Email [8], can help block malicious activities associated with this threat [8] [10].
## Conclusion
The emergence of BabyLockerKZ highlights the evolving tactics of ransomware groups like PaidMemes, emphasizing the need for robust cybersecurity measures. Small and medium-sized businesses [6], in particular [6], must prioritize enhancing their defenses against credential theft and lateral movement [1]. As threat actors continue to adapt, organizations should invest in comprehensive security solutions, such as multi-factor authentication and endpoint detection and response systems, to mitigate the risks posed by such sophisticated ransomware attacks.
References
[1] https://bragg.substack.com/p/daily-drop-881-tat-openai-canvas
[2] https://cyber.vumetric.com/security-news/2024/10/03/ransomware-crew-infects-100-orgs-monthly-with-new-medusalocker-variant/
[3] https://redskyalliance.org/xindustry/medusalocker-ransomware
[4] https://blog.netmanageit.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/
[5] https://www.infosecurity-magazine.com/news/medusalocker-ransomware-deployed/
[6] https://www.threatshub.org/blog/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant/
[7] https://blog.talosintelligence.com/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/
[8] https://www.hendryadrian.com/new-medusalocker-variant-linked-to-ongoing-threat-actor-since-2022/
[9] https://thecyberwire.com/podcasts/daily-podcast/2163/transcript
[10] https://news.backbox.org/2024/10/03/threat-actor-believed-to-be-spreading-new-medusalocker-variant-since-2022/