What is MEDUSALOCKER RANSOMWARE?
MedusaLocker ransomware, a RaaS (Ransomware As a Service) variant, was first introduced in 2019.
After removing volume shadow copies, MedusaLocker ransomware employs AES256 encryption to encrypt data and disables services to increase its effectiveness.
Here is an example below of a victim who was infected with MedusaLocker ransomware.
MedusaLocker ransomware ransom note
MEDUSALOCKER RANSOMWARE IOC INDICATORS
MedusaLocker ransomware indicators of compromise (IoCs) are available that indicate the presence of malware on victim computers.
MEDUSALOCKER ENCRYPTED FILE
Ransomware renames encrypted files as shown in the diagram below. However, it has been known that ransomware can use a variety of file extensions.
Here’s a list of MedusaLocker extensions that Proven Data has encountered:
- .ReadTheInstructions
- .READINSTRUCTION
- .ReadInstructions
- Malware
- Redplague
- .hellomynameisransom
- .abstergo
- .readinstructions
- .deadfiles
- .EMPg296LCK
- .zoomzoom
- .versus2
- .versus4
- .lockfilesbw
- .lockfiles
- .deadfiles
MEDUSALOCKER RANSOM NOTICE
MedusaLocker ransom notes are often different versions of an HTML file that are found in every folder on the infected computer/server.
Here you will find: Example of a MedusaLocker ransom note:
Here’s a list of MedusaLocker ransom note encounters by Proven Data
- INSTRUCTION.html
- INSTRUCTIONS.html
- HOW_TO_RECOVER_DATA.html
- !HOW_RECOVERY_FILES .HTML
- Recovery_Instructions.html
The MedusaLocker ransom notes typically include a long string personal identification code that is used to identify the victim.
The ransom note later reveals that the threat actors stole confidential and personal information and threaten to release it if they are not paid.
The ransom note also offers decryption of 2-3 files as proof-of-concept and next steps if the victim wishes their files to be decrypted.
MEDUSALOCKER-PORTAL
Proven Data observed that ransom notes may include a Tor link to a portal. However, these links are often not functional.
MEDUSALOCKER VIRUS NAME and SHA1 HASH
ransomware virus MedusaLockerThese names were discovered:
- SO_1.8.exe
- NO_1.8.EXE
HOW TO STOP MEDUSALOCKER RANSOMWARE
MedusaLocker ransomware can be stopped from spreading by disconnecting infected devices and the rest of the network. The ransomware will stop other devices from being encrypted by the ransomware by disconnecting it.
After devices have been isolated, you can scan with antivirus software to find malware and other backdoors.
WHAT DOES THE MEDUSALOCKER RANSOMWARE RECOVERY COST?
The following factors have an impact on the cost of MedusaLocker Recovery:
- Assessment fee
- Number of encrypted systems
- Service with a Priority
- Ransom demand amount
WHAT IS THE MEDUSALOCKER RANSOM DEMANDS CHARGE?
the average initial ransom demand for MedusaLocker ransomware was$12,478.
Below is a comparison of MedusaLocker’s average initial ransom demand and those of other popular variants.
- Type and size of the victim company
- The victim network size
- Reconnaissance of financial documents being opened while in the victim network
MedusaLocker targets typically small and medium-sized companies, but it is still one of the most dangerous ransomware varieties due to its volume.
Proven Data has the experience to help you negotiate a lower ransom from the MedusaLocker ransomware.
Knowing what to expect in ransomware recovery costs will help you make informed decisions when recovering your data.
HOW TO DECRYPT MEDUSALOCKER RANSOMWARE
If your files are locked from MedusaLocker ransomware, you’re trying to see what ransomware recovery options are available to decrypt your data.
UNLOCK MEDUSALOCKER ENCRYPTED FILE
MedusaLocker employs an AES256 encryption algorithm that is too strong to break. There are no known flaws to the malware that could be used for data restoration.
This leaves victims of MedusaLocker with the only option of considering paying the ransom to obtain the decryption key and unlock their files.
We may be able, as with other ransomware variants to restore certain file types without having to pay the ransom. For more information, contact a Proven Data representative.
INSTRUCTIONS FOR MEDUSALOCKER DECRYPTER
The MedusaLocker is a simple utility with a command-line interface.
These are the steps for running the MedusaLocker tool decrypter:
1. Verify that the decrypter is not containing malicious code. A ransomware recovery company can help with this.
2. You must disable anti-virus software from the machine where you plan to run the tool. This includes Microsoft Defender.
3. Connect all encrypted devices to the system where you will be running the decrypter. This includes attaching external hard drives and mapping network shares.
4. Right-click the executable file decryption and run it as administrator.
5. The decrypter console will open and begin the recovery process. If the virus/dropper has not been removed, it will be disabled at first.
6. The decrypter will check all connected drives for encrypted files.
7. After scanning all drives, it will begin to decrypt encrypted files. On the screen, you will see a list of all decrypted files.
8. After all files have been decrypted the utility will scan drives again, and continue scanning in a loop. The utility must be closed manually using the X button to stop it from looping.
HOW LONG WILL IT TAKE TO RECOVER A MEDUSALOCKER RANSOMWARE ATTACK
Many factors can affect the recovery time from a MedusaLocker Attack. These are:
- Cleansing the environment of malware
- Securing vulnerabilities
- Time for negotiations
- Compliance checks and ransom payment
- Wait for the threat actor’s decryption utility to be provided
- Check the functionality of the encryption utility
- In the decryption utility, look out for backdoors
- Encrypting the data
- Network size
- Types, number of files, and file sizes
- Data verification and backing up
It takes 3-7 days to complete a full recovery for a network that has 1-3 servers and 10-20 workstations.
WHAT ATTACK VECTORS DID MEDUSALOCKER RANSOMWARE USE
MedusaLocker ransomware infections frequently infect your network via unsecured RDP ports.
Phishing emails may contain malicious attachments or links. Unpatched applications could also be used as attack vectors.
CAN MEDUSALOCKER RANSOMWARE STEAL DATA
Our research has not shown that MedusaLocker ransomware can steal data from victims while they are on the network. It is important to still conduct a forensic investigation, as ransomware threat actors change tactics all the time.
PRESERVING EVIDENCE FROM MEDUSALOCKER RANSOMWARE
A forensic investigation is required to determine the extent of damage done to your network by attackers. It is crucial to preserve all evidence if you’re considering a forensic inquiry.
These are the steps you need to take to preserve the forensic evidence
- Shut down your computer and server. This will cause some artifacts to be lost.
- Make sure you have a solid image that is forensically sound and then take it offline
- Remote software logs, VPN, and firewall downloads
- All information related to ransomware attacks should be documented
Complete instructions on preserving ransomware evidence can be found as part of the ransomware forensics process.
WHY CHOOSE PROVEN DATA MEDUSALOCKER RANSOMWARE RECOVERY?
Companies that are affected by ransomware attacks need a time-tested, proven solution to resume business operations. We offer 24/7 access to experienced staff with extensive experience in recovering from the MedusaLocker ransomware variant.
We have a deep understanding of MedusaLocker ransomware and can help you make informed business decisions. To fully recover from the attack, it is essential to understand the threat profile and attack vectors.
We developed a sanctions compliance program to meet our compliance requirements. This ensures that we make ransom payments for clients who are responsible. We provide you with a compliance and incident report upon completion of the service. This can be used for reporting purposes or insurance.
We can help you get past the unfortunate MedusaLocker incident by providing transparent ransomware incident response services.