"New MedusaLocker Ransomware Variant Deployed by Threat Actor"
According to security researchers at Cisco Talos, a financially-motivated threat actor has been observed targeting organizations globally with a MedusaLocker ransomware variant. Known as “BabyLockerKZ,” the variant has been around since at least late 2023, and this is the first time it has been specifically called out as a MedusaLocker variant. The researchers noted that this variant uses the same chat and leak site URLs as the original MedusaLocker ransomware. However, it uses a different autorun key or an extra public and private key set stored in the registry. The researchers stated that the attacker has been active since at least 2022, initially focusing on targets in European countries such as France, Germany, Spain, and Italy. Since the second quarter of 2023, it has shifted its focus towards South American countries such as Brazil, Mexico, Argentina, and Colombia, resulting in the volume of victims per month almost doubling. The researchers noted that the attacks kept a steady volume of around 200 unique IPs compromised per month until the first quarter of 2024 when attacks decreased. The threat actor is believed to either be working as an initial access broker or an affiliate of a ransomware cartel.
Infosecurity Magazine reports: "New MedusaLocker Ransomware Variant Deployed by Threat Actor"