Last week we came across ransomware with unique evasion techniques in a new variant, or possibly a copycat, of the MedusaLocker ransomware. MedusaLocker ransomware, first seen in September 2019, came with a batch file to evade detection.
Batch files contain script commands running in a Command Prompt on Windows machines and have the .bat extension. In the malicious batch file that came with the ransomware payload, we found a command that edits the Windows registry to remove Windows Defender when the computer is booted into safe mode without networking enabled (Minimal mode).
reg delete HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend /f
This command reads: delete the registry entry “HKLM\System\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend” without prompting for confirmation. The location of the registry entry indicates this affects the computer when booting into safe mode.
Additionally, we also found the batch file adds MedusaLocker as a service called “backupvt” and configures it to run on every boot into safe mode Minimal. This hides the file name when looking at the services. It also makes MedusaLocker available to run in safe mode Minimal.
After setting up the safe mode environment to where it can run without interference. The batch files configure the next bootup of the computer to run in safe mode Minimal and reboots the computer silently. When the computer boots back up, it enters safe mode and starts the MedusaLocker service. Next MedusaLocker runs and encrypts all files on the victim’s computer without any worry of an anti-virus blocking it.
While this isn’t a new evasion technique in general, as far as we know no other ransomware attack uses this technique to get around antivirus software. Booting to safe mode like this also prevents nearly all 3rd party antivirus from running, making MedusaLocker especially difficult to detect.
This ransomware attack proved highly evasive and effective in getting around traditional endpoint antimalware protections, highlighting the need for a layered security approach. In our testing, WatchGuard’s cloud sandbox-based APT Blocker identified and blocked the threat both at the perimeter and in combination with the Threat Detection and Response (TDR) endpoint agent, but only after it slipped past signature-based detection services.
TDR’s Host Ransomware Prevention (HRP) module also quickly identifies and blocks the MedusaLocker payload from encrypting the victim’s computer, but only if the ransomware executes while the TDR service is running and not in safe mode. Because it’s extremely risky to run third-party drivers like anti-malware engines in safe mode, you likely won’t see many engines catching this threat if it makes it that far.
Regardless, watch out for batch files downloaded from the Internet. They can run code and manipulate the registry to disable any antivirus installed with this safe mode trick. Never run an unknown file without verifying the source.