Repair Ransomware is Based on MedusaLocker

While going over newly discovered file samples, we came across a malicious software named Repair, which belongs to the MedusaLocker ransomware family. Repair functions as ransomware that encrypts data.

During our analysis, we observed that the program encrypted files and added a ".repair" extension to their filenames. For example, a file originally named "1.jpg" appeared as "1.jpg.repair", "2.png" as "2.png.repair", and so on.

Once the encryption process was completed, the ransomware generated an HTML file titled "How_to_back_files.html," containing the ransom note. Apart from demanding payment for decryption, this ransomware employs double extortion tactics by threatening victims with data leaks.

The ransom note clearly indicates that Repair primarily targets companies rather than individual users. It informs that the files on the company network have been encrypted, and confidential or personal data has been extracted.

The note emphasizes that only the attackers possess the capability to restore the encrypted files. Any attempts to rename, modify, or manually decrypt the files will result in irreversible data corruption.

To decrypt the files, the victim is required to pay a ransom, with a warning that refusal to comply will lead to the leaked or sold content. Failure to establish contact with the cybercriminals within 72 hours will lead to an increase in the ransom amount. Prior to meeting these demands, the victim is allowed to test decryption on up to three unimportant files.

Repair Ransom Note Copies MedusaLocker Template

The complete text of the Repair ransom note reads as follows:

YOUR PERSONAL ID: -

YOUR COMPANY NETWORK HAS BEEN PENETRATED
All your important files have been encrypted!

Your files are safe! Only modified. (RSA+AES)

ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE
WILL PERMANENTLY CORRUPT IT.
DO NOT MODIFY ENCRYPTED FILES.
DO NOT RENAME ENCRYPTED FILES.

No software available on internet can help you. We are the only ones able to
solve your problem.

We gathered highly confidential/personal data. These data are currently stored on
a private server. This server will be immediately destroyed after your payment.
If you decide to not pay, we will release your data to public or re-seller.
So you can expect your data to be publicly available in the near future..

We only seek money and our goal is not to damage your reputation or prevent
your business from running.

You will can send us 2-3 non-important files and we will decrypt it for free
to prove we are able to give your files back.

Contact us for price and get decryption software.

email:
suntorydots@tutanota.com
suntorydots@outlook.com

To contact us, create a new free email account on the site: protonmail.com
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

Tor-chat to always be in touch:

What Are the Most Common Distribution Vectors for Ransomware?

Ransomware can infiltrate systems through various distribution vectors, but some of the most common ones include:

Phishing Emails: Phishing emails are a primary method for ransomware distribution. Attackers send deceptive emails containing malicious attachments or links, often posing as legitimate entities or organizations. Clicking on these attachments or links can trigger the download and execution of ransomware.

Malicious Websites: Ransomware can be distributed through compromised or malicious websites. Visiting such websites or clicking on malicious ads can lead to the automatic download and installation of ransomware onto the victim's system.

Exploit Kits: Exploit kits are toolkits that contain pre-written code designed to exploit vulnerabilities in software or web browsers. Cybercriminals use exploit kits to automatically identify and exploit vulnerabilities in systems, allowing them to deliver ransomware payloads without user interaction.

Software Vulnerabilities: Ransomware creators often exploit known vulnerabilities in operating systems or software applications to gain unauthorized access to systems. Failure to install security patches and updates leaves systems susceptible to exploitation by ransomware.

Drive-by Downloads: Drive-by downloads occur when ransomware is downloaded and installed onto a victim's system without their knowledge or consent. This often happens when visiting compromised websites or clicking on malicious links.

Social Engineering Tactics: Ransomware distributors often use social engineering tactics to trick users into executing malicious code. This may include enticing users to download and run malicious software through deceptive ads, fake software updates, or fraudulent offers.

To mitigate the risk of ransomware infections, users and organizations should implement robust cybersecurity measures, such as regular software updates, employee training on identifying phishing emails, and the use of reputable antivirus software and firewalls. Additionally, maintaining regular backups of critical data is essential for recovery in the event of a ransomware attack.