An updated variant of the MedusaLocker ransomware, dubbed ‘BabyLockerKZ,’ has been observed in ransomware attacks targeting over 100 organizations monthly. The attacks have been linked by the Cisco Talos threat intelligence team to a suspected initial access broker (IAB) or ransomware cartel affiliate operating under the moniker ‘PaidMemes.’

Talos researchers detected several differences between the original ransomware, which first emerged in 2022, and the updated variant, including the presence of extra public and private key sets stored in the system registry, and changes to the autorun key.

Attackers consistently use the same tools and store them in specific directories such as the Music, Pictures, or Documents folders on compromised systems. Apart from the publicly available software, the threat actor leveraged custom-built tools for lateral movement and credential theft. The tools appear to be wrapped versions of widely known attack software, but with additional features to streamline operations and provide user-friendly interfaces.

In particular, PaidMemes employs a lateral movement tool named “Checker,” which integrates with tools like Mimikatz, Invoke-the-Hash, and PSEXEC. Checker automates the interaction between these attack utilities, making it easier for hackers to spread within compromised networks.

Initially, BabyLockerKZ attacks were concentrated in European nations, but since the first quarter of 2023, Talos has observed a significant shift toward South America. The group's focus on this region has resulted in a near doubling of victim numbers, with over 100 organizations compromised per month since late 2022.