MedusaLocker Ransomware (Analysis and Recovery Options)

This page details everything you need to know about MedusaLocker ransomware. If you have been hit by MedusaLocker ransomware and need help recovering your data, we're here to help.

Table of Contents

What is MedusaLocker ransomware?

MedusaLocker ransomware is a RaaS (Ransomware as a Service) variant that first emerged in 2019.

MedusaLocker ransomware uses AES-256 encryption to encrypt data after removing volume shadow copies and disables system services to increase the effectiveness of the encryption.

Below is an example of a victim infected by MedusaLocker ransomware:

What Is MedusaLocker Ransomware
MedusaLocker ransomware ransom note

MedusaLocker ransomware Indicators of Compromise (IoC)

There are several MedusaLocker ransomware Indicators of Compromise (IoC) that signal the malware is present on a victim computer. 

MedusaLocker Encrypted Files

The ransomware generally renames encrypted files per the diagram below, but has been known to utilize a variety of different file extensions.

Identifying MedusaLocker Ransomware Files

Here is a list of MedusaLocker file extensions encountered by Proven Data:

  • .ReadTheInstructions
  • .READINSTRUCTION
  • .ReadInstructions
  • .Malware
  • .redplague
  • .hellomynameisransom
  • .abstergo
  • .readinstructions
  • .deadfiles
  • .EMPg296LCK
  • .zoomzoom
  • .versus2
  • .versus4
  • .lockfilesbw
  • .lockfiles
  • .deadfiles

MedusaLocker Ransom Note

The MedusaLocker ransom notes are commonly different variations of an HTML file which are located in every folder on your infected computer/server. 

Below you will find an example of a MedusaLocker ransom note:

MedusaLocker Ransom Note

Here is a list of MedusaLocker ransom notes encountered by Proven Data: 

  • INSTRUCTION.html
  • INSTRUCTIONS.html
  • HOW_TO_RECOVER_DATA.html
  • !HOW_RECOVERY_FILES! .HTML
  • Recovery_Instructions.html

The MedusaLocker ransom note typically includes a long string personal ID code used to identify the victim.

Later versions of the ransom note also indicate that the threat actors have stolen confidential and personal data, and even threaten to release the data if the ransom is not paid. 

Additionally, the ransom note offers decryption for 2-3 files as proof of concept and next steps on what to do if the victim wants their files decrypted. 

MedusaLocker portal

Some ransom notes include a Tor link to a portal, but Proven Data has observed that the links are usually not functional.

MedusaLocker virus name and SHA1 hash

The MedusaLocker ransomware virus has been discovered with the following names:

  • SO_1.8.exe
  • NO_1.8.EXE

The MedusaLocker SHA1 hashes discovered are:

  • 97f2ba64780efd18943e2cfd67f18df90e0bf39a
  • 3e2a0003c436392b0df260e21067281e8eddc4ed

How to stop MedusaLocker ransomware

You can stop MedusaLocker ransomware from spreading by isolating the infected devices from the rest of your network. Disconnecting the device will help stop the ransomware from encrypting files on other devices. 

Once devices are isolated, you can start scanning with antivirus software to remove the malware and any potential back doors that have been left behind.

How much will MedusaLocker ransomware recovery cost?

Factors that influence the total cost of MedusaLocker recovery include:

  • Assessment fee
  • Number of encrypted systems
  • Selected priority of service
  • Ransom demand amount

How much do MedusaLocker ransom demands cost?

The average initial ransom demand for MedusaLocker ransomware is $12,478.

$ 0
Average initial MedusaLocker ransomware demand (Q3/Q4 2020)

The graph below shows the comparison between the average initial ransom demand of MedusaLocker and other common variants.

Like many other ransomware groups, it is suspected that they tailor the ransom amounts to the following:

  • Size and type of the victim company
  • Size of the victim network
  • Reconnaissance opening financial documents while on the victim network

MedusaLocker typically targets small and medium-sized businesses but is still considered one of the most dangerous ransomware variants due to the volume of attacks.

$ 0
Average ransom demand after negotiation (Q3/Q4 2020)

Proven Data is experienced in helping to negotiate for a lower ransom demand from the MedusaLocker ransomware.

What Factors MedusaLocker Ransom Demand

Knowing what to expect in ransomware recovery costs will help you make informed decisions when recovering your data.

How to decrypt MedusaLocker ransomware

If your files are locked from MedusaLocker ransomware, you’re trying to see what ransomware recovery options are available to decrypt your data.

Unlock MedusaLocker encrypted files

MedusaLocker uses an AES-256 encryption algorithm, making it too strong to be broken. Additionally, there are currently no known flaws in the malware that can be utilized for data restoration efforts.

This leaves victims of MedusaLocker with the only option of considering paying the ransom to obtain the decryption key and unlock their files. 

As with many ransomware variants, we may be able to assist with restoring certain file types without paying the ransom. To find out more information, you can reach out to a Proven Data representative.

MedusaLocker Decrypter Instructions

The MedusaLocker decrypter is a straightforward utility that has a command-line like interface.

Here are the steps to run the MedusaLocker decrypter tool:

1.  Ensure the decrypter does not contain malicious code (a ransomware recovery company should be able to help you with this).

2. Disable anti-virus software on the machine you will be running the tool from. This includes Microsoft Defender.

3. Make sure to connect all the devices with encrypted files to the system you are going to be running the decrypter from. This includes mapping network shares and attaching external hard drives.

4. Right click the decryption executable file and run as administrator.

MedusaLocker Ransomware Decrypter

5. The decrypter console will appear and start the process of recovery. Initially it will disable the virus/dropper if it has not been removed from the system.

Decrypt MedusaLocker Ransomware Files

6. The decrypter will scan all drives connected to the system for encrypted files.

Unlock MedusaLocker Ransomware Decrypter

7. After scanning all drives, it will start to decrypt all the encrypted files. A list of all the decrypted files will display on the screen.

MedusaLocker Decrypt Ransomware Files

8. When all files have been decrypted, the utility will scan the drives again and keep doing this in a loop. To stop the loop, the utility has to be closed manually by clicking the X button.

MedusaLocker Decrypt Ransomware Locked Files

How long does it take to recover from a MedusaLocker ransomware attack?

There are several factors that contribute to the time it takes to recover from a MedusaLocker attack. These include:

  • Cleaning the environment from malware
  • Securing vulnerabilities
  • Negotiation time
  • Compliance checks & making the ransom payment
  • Wait for the threat actor to provide the decryption utility
    • Test the functionality of the decryption utility
    • Check for backdoors in the decryption utility 
  • Decrypting the data
    • Size of the network
    • Number of files, file sizes & types
  • Backing up and verifying the data

For a network with 1-3 servers and 10-15 workstations it takes approximately 3-7 business days to complete the full recovery process.

What attack vectors did MedusaLocker ransomware use?

MedusaLocker ransomware attacks frequently infect your network via unsecured RDP ports. 

Phishing emails with malicious links or attachments and unpatched applications may also be attack vectors.

Does MedusaLocker ransomware steal data?

Based on our research, there has been no evidence that MedusaLocker ransomware attacks are known to steal data while on the victim network. However, since ransomware threat actors are constantly changing tactics, it is still critical to conduct a forensic investigation.

Preserving evidence from MedusaLocker ransomware

In order to determine what the attackers removed from your network, you will need a forensic investigation performed. If you are considering a forensic investigation, it is important to preserve the evidence as soon as possible.

Here are the steps to preserve the forensic evidence:

  1. Do not shut down the computer or server as this will erase some artifacts
  2. Create a forensically sound image and take it offline
  3. Download firewall, VPN, and remote software logs
  4. Document all information pertaining to the ransomware attack

Complete instructions on preserving ransomware evidence can be found as part of the ransomware forensics process.

Why choose Proven Data MedusaLocker ransomware recovery?

Businesses that suffer downtime from a ransomware attack need a proven, time-tested solution to resume operations. That’s why we provide 24/7 access to staff who have significant experience recovering from the MedusaLocker ransomware variant. 

Our firm understanding of MedusaLocker ransomware from our vast experience guides you to make informed decisions for your business. Understanding the attack vectors, threat actor profile, and negotiation expectations are essential to recovering from the attack completely.

To meet compliance needs, we adopted a sanctions compliance program to ensure we are making ransom payments on behalf of our clients responsibly. At the service’s conclusion, we provide you with an incident and compliance report that you can use for insurance or law enforcement reporting purposes. 

If you are looking for a transparent experience from a professional ransomware incident response company to help you move past your unfortunate MedusaLocker cyber incident, we are here to help.

MedusaLocker FAQ

Most frequent questions and answers

There are currently no publicly available MedusaLocker ransomware decryption tools to assist victims to unlock their files. 

If MedusaLocker encrypts your files, you may have to recover your data by: 

  • Recreating the data from scratch
  • Restoring from backups
  • Paying the ransom

No, it is currently not possible to decrypt MedusaLocker encrypted files without paying the ransom. However, there may be some file types that can be repaired. You may ask a Proven Data representative about those file types.

MedusaLocker tends to have a high success rate of data restoration after paying the ransom and going through the decryption process. 

Here are some file types which may have problems decrypting or could require further troubleshooting:

  • Databases
  • VHDX/VHD images
  • PDF’s
  • PNG/JPEG’s

Paying the ransom in exchange for the decryption key does not always guarantee that a functional decryption key will be delivered. However, using the threat intelligence we have gathered from previous ransomware cases, we can determine the threat actor’s past reputation to help you make informed decisions.

In 2020 our records indicate that MedusaLocker delivered the decryption tool after the first ransom payment on 100% of cases.

If you are the victim of a MedusaLocker ransomware attack, you must make sure to secure your network after to close vulnerabilities. 

Our cyber security costs guide outlines what basic protections are needed for ransomware prevention and what they cost.

Need MedusaLocker recovery or removal?

Our ransomware recovery experts are here to help you through the ransomware removal process!