What is MEDUSALOCKER RANSOMWARE?
MedusaLocker ransomware, a RaaS (Ransomware As a Service) variant, was first introduced in 2019.
After removing volume shadow copies, MedusaLocker ransomware employs AES256 encryption to encrypt data and disables services to increase its effectiveness.
Here is an example below of a victim who was infected with MedusaLocker ransomware.
MEDUSALOCKER RANSOMWARE IOC INDICATORS
MedusaLocker ransomware indicators of compromise (IoCs) are available that indicate the presence of malware on victim computers.
MEDUSALOCKER ENCRYPTED FILE
Ransomware renames encrypted files as shown in the diagram below. However, it has been known that ransomware can use a variety of file extensions.
Here’s a list of MedusaLocker extensions that Proven Data has encountered:
- .ReadTheInstructions
- .READINSTRUCTION
- .ReadInstructions
- Malware
- Redplague
- .hellomynameisransom
- .abstergo
- .readinstructions
- .deadfiles
- .EMPg296LCK
- .zoomzoom
- .versus2
- .versus4
- .lockfilesbw
- .lockfiles
- .deadfiles
MEDUSALOCKER RANSOM NOTICE
MedusaLocker ransom notes are often different versions of an HTML file that are found in every folder on the infected computer/server.
Here is an example for a MedusaLocker ransom note:
Here’s a list with Proven Data of MedusaLocker ransom note:
- INSTRUCTION.html
- INSTRUCTIONS.html
- HOW_TO_RECOVER_DATA.html
- !HOW_RECOVERY_FILES .HTML
- Recovery_Instructions.html
The MedusaLocker ransom notes typically include a long string personal identification code that is used to identify the victim.
The ransom note later reveals that the threat actors stole confidential and personal information and threaten to release it if they are not paid.
The ransom note also offers decryption of 2-3 files as proof-of-concept and next steps if the victim wishes their files to be decrypted.
MEDUSALOCKER-PORTAL
Proven Data observed that ransom notes may include a Tor link to a portal. However, these links are often not functional.
MEDUSALOCKER VIRUS NAME and SHA1 HASH
These names were used to identify the MedusaLocker ransomware virus:
- SO_1.8.exe
- NO_1.8.EXE
HOW TO STOP MEDUSALOCKER RANSOMWARE
MedusaLocker ransomware can be stopped from spreading by disconnecting infected devices and the rest of the network. The ransomware will stop other devices from being encrypted by the ransomware by disconnecting it.
After devices have been isolated, you can scan with antivirus software to find malware and other backdoors.
WHAT DOES THE MEDUSALOCKER RANSOMWARE RECOVERY COST?
The following factors have an impact on the cost of MedusaLocker Recovery:
- Assessment fee
- Number of encrypted systems
- Service with a Priority
- Ransom demand amount
WHAT IS THE MEDUSALOCKER RANSOM DEMANDS CHARGE?
$12.478 is the average initial ransom for MedusaLocker ransomware.
Below is a comparison of MedusaLocker’s average initial ransom demand and those of other popular variants.
It is possible that they, like many other ransomware groups, have modified ransom amounts to suit their needs:
- Type and size of the victim company
- The victim network size
- Reconnaissance of financial documents being opened while in the victim network
MedusaLocker targets typically small and medium-sized companies, but it is still one of the most dangerous ransomware varieties due to its volume.
Proven Data has the experience to help you negotiate a lower ransom from the MedusaLocker ransomware.
Understanding what to expect from ransomware recovery fees will allow you to make informed decisions about recovering your data.
HOW TO DECRYPT MEDUSALOCKER RANSOMWARE
You can find ransomware recovery options to decrypt files locked by MedusaLocker ransomware.
UNLOCK MEDUSALOCKER ENCRYPTED FILE
MedusaLocker employs an AES256 encryption algorithm that is too strong to break. There are no known flaws to the malware that could be used for data restoration.
The victims of MedusaLocker are left with only one option: pay the ransom to unlock their files and obtain the decryption keys.
We may be able, as with other ransomware variants to restore certain file types without having to pay the ransom. For more information, contact a Proven Data representative.
INSTRUCTIONS FOR MEDUSALOCKER DECRYPTER
The MedusaLocker is a simple utility with a command-line interface.
These are the steps for running the MedusaLocker tool decrypter:
1. Verify that the decrypter is not containing malicious code. A ransomware recovery company should help you with this.
2. Turn off anti-virus software from the machine where you’ll be using the tool. This includes Microsoft Defender.
3. Connect all encrypted devices to the system where you will be running the decrypter. This includes attaching external hard drives and mapping network shares.
4. Right-click the executable file decryption and run it as administrator.
5 The decrypter console appears and starts the process of recovery. If the virus/dropper has not been removed, it will be disabled at first.
6 The decrypter scans all drives connected to it for encrypted files.
7. Once all drives have been scanned, the program will begin to decrypt encrypted files. The screen will show a list of all decrypted files.
8. After all files have been decrypted the utility will continue scanning the drives in a loop. The utility must be closed manually by clicking on the X button to stop the loop.
HOW LONG WILL IT TAKE TO RECOVER A MEDUSALOCKER RANSOMWARE ATTACK
Many factors can affect the recovery time from a MedusaLocker Attack. These are:
- Cleansing the environment of malware
- Securing vulnerabilities
- Time for negotiations
- Compliance checks and ransom payment
- Wait for the threat actor’s decryption utility to be provided
- Check the functionality of the encryption utility
- In the decryption utility, look out for backdoors
- Encrypting the data
- Network size
- Types, number of files, and file sizes
- Data verification and backing up
It takes 3-7 days to complete a full recovery for a network that has 1-3 servers and 10-20 workstations.
WHAT ATTACK VECTORS DID MEDUSALOCKER RANSOMWARE USE
MedusaLocker ransomware infections frequently infect your network via unsecured RDP ports.
Phishing emails may contain malicious attachments or links. Unpatched applications could also be used as attack vectors.
MEDUSALOCKER RANSOMWARE STEAL DATA
Our research has not shown that MedusaLocker ransomware can steal data from victims while they are on the network. It is important to still conduct a forensic investigation, as ransomware threat actors change tactics all the time.
PRESERVING EVIDENCE FROM MEDUSALOCKER RANSOMWARE
A forensic investigation is required to determine the extent of damage done to your network by attackers. It is crucial to preserve all evidence if you’re considering a forensic inquiry.
These are the steps you need to take to preserve your forensic evidence
- Shut down your computer and server. This will cause some artifacts to be lost.
- Make sure you have a solid image that is forensically sound and then take it offline
- Remote software logs, VPN and firewall downloads
- All information related to ransomware attacks should be documented
WHY CHOOSE PROVEN DATA MEDUSALOCKER RANSOMWARE RECOVERY?
Companies that are affected by ransomware attacks need a time-tested, proven solution to restart operations. We offer 24/7 access to experienced staff with extensive experience in recovering from the MedusaLocker ransomware variant.
We have a deep understanding of MedusaLocker ransomware and can help you make informed business decisions. To fully recover from the attack, it is essential to understand the threat profile and attack vectors.
We developed a sanctions compliance program to meet our compliance requirements. This ensures that we make ransom payments for clients who are responsible. We provide you with a compliance and incident report upon completion of the service. This can be used for reporting purposes or insurance.
We can help you get past the unfortunate MedusaLocker incident by providing transparent ransomware incident response services.