Behind MedusaLocker: what is known about the group active since 2022

This article is dedicated to a detailed analysis of a modern threat that remains largely unnoticed by the general public but poses a real risk to corporate networks. The material is based on technical observations, telemetry, and analytical data collected by cyber intelligence specialists. The publication examines how such campaigns are carried out, which approaches are used to penetrate infrastructure, and why these attacks can remain unnoticed for years.

How the updated ransomware works and who is behind it

A financially motivated threat actor, active since at least 2022, was recently observed distributing a variant of the MedusaLocker ransomware. The collected data on the tools regularly used by this group makes it possible to estimate the approximate number of victims and their countries of origin.

The group’s activity can be traced back to late 2022. Attacks have targeted organizations worldwide, but by mid-2023 the highest number of victims was concentrated in European Union countries. After that, the focus shifted toward Latin America.

During these attacks, a MedusaLocker variant known as BabyLockerKZ was deployed. This sample was compiled with a PDB path containing the string paid_memes. The same marker was found in other tools used during the compromises, indicating a single developer or author.

New information has emerged about the threat actor’s toolset, including BabyLockerKZ, as well as the tactics, techniques, and indicators of compromise that can be used to detect and prevent further attacks.

Recent incidents revealed a characteristic attack chain that led to the deployment of BabyLockerKZ. Repeated techniques, such as storing the same set of tools in identical directories on compromised systems, using utilities with the paid_memes PDB path, and employing a lateral movement tool known as checker, enabled a deeper analysis of the group’s activity.

The attackers use a mix of well-known tools, living-off-the-land binaries, and a custom toolkit designed for credential theft and lateral movement within compromised networks. In most cases, these tools are wrappers around publicly available solutions, enhanced with automation features and convenient graphical or command-line interfaces.

The same developer also created the MedusaLocker variant used in the initial attacks. Despite using the same chat infrastructure and leak sites, this sample differs in several ways from the original MedusaLocker. These differences include a distinct persistence registry key and additional public and private keys stored in the registry. Based on the name of the persistence key, the attackers themselves refer to this variant as BabyLockerKZ.

With medium confidence, the group is assessed to be financially motivated and likely operates as an initial access broker or a partner within the ransomware ecosystem. The attacks have been conducted since at least 2022 and appear to be opportunistic, targeting victims across multiple countries.

In late 2022 and early 2023, most affected organizations were located in Europe. Beginning in the first quarter of 2023, the primary focus shifted to Latin America. As a result, the average number of victims per month nearly doubled.

Tracking BabyLockerKZ on a global scale

Analysis of the tools consistently used during attacks allowed researchers to estimate the number of victims and the geographic distribution of infections. While this data does not capture the full scope of the group’s activity, it provides insight into a specific snapshot of its operations.

The activity can be traced back to at least October 2022. During that period, most targets were located in European countries such as France, Germany, Spain, and Italy. In the second quarter of 2023, the monthly number of attacks nearly doubled, with Latin American countries becoming the primary targets, including Brazil, Mexico, Argentina, and Colombia. This level of activity remained at approximately 200 unique compromised IP addresses per month until the first quarter of 2024, after which the intensity of attacks began to decline.

The threat actor systematically compromised a large number of organizations, often more than 100 per month, since at least 2022. This indicates a professional and highly aggressive attack pattern and fully aligns with the operating model of an initial access broker or a partner within the ransomware ecosystem.

Threat actor tactics, techniques, and tools

During attacks that resulted in the deployment of BabyLockerKZ, the threat actor used a combination of widely known tools and utilities that appear to be characteristic of this specific group. Standard user directories on compromised systems were regularly used to store attack tools, including Music, Pictures, and Documents. This approach helps conceal malicious activity among legitimate files.

In one incident, tools were stored at the following paths:

• c:\users\<user>\music\advanced_port_scanner_2.5.3869.exe

• c:\users\<user>\music\hrsword\hrsword install.bat

• c:\users\<user>\music\killav\build.004\disabler.exe

• c:\users\<user>\music\checker\checker(222).exe

• c:\users\<user>\music\checker\invoke-thehash.ps1

• c:\users\<user>\music\checker\invoke-smbexec.ps1

• c:\users\<user>\music\checker\invoke-wmiexec.ps1

• c:\users\<user>\appdata\roaming\ntsystem\ntlhost.exe.exe

• c:\users\<user>\appdata\local\temp\advanced port scanner 2\advanced_port_scanner.exe

• c:\users\<user>\appdata\local\temp\is-juad3.tmp\advanced_port_scanner_2.5.3869.tmp

A similar storage pattern had already been observed during MedusaLocker attacks documented in February 2023. Telemetry data indicates that this period was one of the most active phases for this threat actor.

Publicly known tools used in the attacks

Among the tools regularly observed during compromises were:

• HRSword_v5.0.1.1.rar A utility used to disable antivirus and EDR solutions.

• Advanced_Port_Scanner_2.5.3869.exe A network scanning tool with additional features for mapping internal infrastructure.

• Netscan.exe (SoftPerfect Network Scanner) An alternative to Advanced Port Scanner with similar functionality.

• ProcessHacker.exe A process monitoring and administration tool that allows viewing and controlling running processes on compromised systems.

• PCHunter64.exe A tool with similar capabilities, focused on process analysis and termination.

• Mimikatz A well-known tool used to extract Windows user credentials from memory.

Custom tools and attack automation

Despite extensive use of publicly available tools, the threat actor also employs less common utilities designed to optimize and automate attacks. These tools combine the functionality of widely used utilities such as Mimikatz, Invoke-The-Hash, PsExec, and RDP, and enhance them with user-friendly graphical or command-line interfaces.

One of the key tools of this kind is Checker, observed during attacks involving the deployment of BabyLockerKZ. Like the ransomware itself, this tool contains a PDB path with the string paid_memes. Analysis of this marker made it possible to identify a number of files in public malware repositories, most of which turned out to be BabyLockerKZ samples. Several additional tools used within the same attack ecosystem were also identified.

The Checker tool

Checker (E:\paid_memes\wmi_smb_rdp_checker\Release\checker.pdb) is an application that aggregates several freely available utilities and provides a graphical interface for credential management during lateral movement within a network. The tool is used to simplify and accelerate later stages of an attack after the initial compromise.

Checker includes the following utilities:

• Remote Desktop Plus

• PsExec

• Mimikatz

In addition, the tool contains a set of scripts based on Invoke-The-Hash, allowing authentication and remote actions using NTLM hashes without requiring plaintext passwords.

Checker is equipped with a full graphical interface for tool management and an embedded database that stores collected credentials. This implementation suggests the tool is designed for systematic use in large-scale attacks rather than for one-off, manual operations.

Capabilities of the Checker tool

As shown in the illustration, the tool allows scanning IP addresses for valid credentials using multiple protocols and techniques, including PsExec, RDP, SMB, and WMI. It supports importing data from host lists and integrates with other tools in the attacker’s arsenal, such as Mimikatz and an advanced port scanner.

Checker is also capable of decrypting hashes and provides a convenient graphical interface for maintaining a database of hosts and associated credentials that were obtained or validated during the attack. This approach significantly simplifies tracking already compromised systems and enables further lateral movement across the network.

The PTH project

The name PTH (D:\Projects\paid_memes\PTH\Release\PTH.pdb) indicates the use of the pass-the-hash technique, which allows remote authentication using NTLM hashes without the need to crack or reveal passwords.

Analysis of the resources shows that the tool includes the following scripts:

• Invoke-SMBClient.ps1

• Invoke-SMBEnum.ps1

• Invoke-SMBExec.ps1

• Invoke-TheHash.ps1

• Invoke-WMIExec.ps1

These same scripts were also used within Checker and are part of the Invoke-TheHash toolkit. According to the author’s description, Invoke-TheHash contains PowerShell functions for performing pass-the-hash operations via WMI and SMB. Connections are established using the .NET TCPClient, and authentication is performed by passing the NTLM hash using the NTLMv2 protocol. Notably, local administrator privileges on the client side are not required.

The MIMIK tool

MIMIK (D:\Projects\paid_memes\mimik\Release\stub_mimik.pdb) is a wrapper around Mimikatz and rclone. It is used to steal credentials and automatically upload them to an attacker-controlled server. Terminal output shows the execution of the corresponding commands.

Examples of commands executed using this tool include:

64.exe privilege::debug sekurlsa::logonPasswords token::elevate lsadump::sam full exit

C:\Users\user\Desktop\64.exe 64.exe "privilege::debug" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam full" exit

64.exe "privilege::debug" "sekurlsa::logonPasswords" "token::elevate" "lsadump::sam full" exit

C:\Users\user\Desktop\rclone.exe rclone rcd --rc-no-auth --bwlimit=30M

C:\Users\user\Desktop\rclone.exe rclone rc operations/stat

Combining Mimikatz and rclone within a single tool allows attackers not only to rapidly obtain sensitive data but also to immediately exfiltrate it without additional manual steps, significantly increasing the efficiency of the attacks.

BabyLockerKZ

BabyLockerKZ is a variant of MedusaLocker that has existed since at least late 2023 and has already been analyzed by other researchers, although it has usually not been identified explicitly under this name as a distinct MedusaLocker variant.

In a Cynet blog post, this sample was described under the name Hazard, based on the file extension appended to encrypted files. The publication also mentions the presence of a BabyLockerKZ registry key, indicating an internal identifier for this variant.

In a separate study by Whitehat, attention is drawn to the presence of PAIDMEMES PUBLIC and PAIDMEMES PRIVATE registry keys in MedusaLocker samples, which are also associated with this variant.

Overall, BabyLockerKZ has remained relatively unnoticed by the broader research community. This is likely due to its high similarity to the classic MedusaLocker or the fact that it uses the same communication channels and data leak sites.

At the same time, several notable technical differences exist between BabyLockerKZ and the original MedusaLocker:

• the mutex {8761ABBD-7F85-42EE-B272-A76179687C63} is absent

• the MDSLK registry key is absent

• the PAIDMEMES PUBLIC and PAIDMEMES PRIVATE registry keys are used

• a separate persistence key named BabyLockerKZ is applied

The purpose of the PAIDMEMES PUBLIC and PAIDMEMES PRIVATE keys remains unclear. In its report, Whitehat notes that these keys are likely not critical to the encryption process, as the Linux version of MedusaLocker does not use them. Further investigation into the role of these keys may become a subject for future analysis.

Conclusion

BabyLockerKZ demonstrates how well-known ransomware families continue to evolve through custom tooling, automation, and a clearly structured attack model. The group’s sustained activity, consistent volume of compromises, and shifting regional focus point to a professional operation within a mature ransomware ecosystem. For defenders, this case serves as another reminder that even familiar threats can take on new forms and remain dangerous in the absence of continuous monitoring and basic cyber hygiene.