Recent Articles
How To Recover Overwritten Files
The Snowflake Data Breach: A Comprehensive Overview
Mac Not Recognizing External Hard Drive: Quick Fix Solutions
How Multi-Cloud Backup Solutions Can Prevent Data Disasters
Capibara Ransomware: What is it & How to Remove
What Should a Company Do After a Data Breach: The Ticketmaster Incident
Secles Ransomware: Removal Guide
What To Do When Your Chromebook Freezes
How to Create Hyper-V Backup
What Is The Best Data Recovery Software For PC
Heloise Montini
Heloise Montini is a content writer whose background in journalism make her an asset when researching and writing tech content. Also, her personal aspirations in creative writing and PC gaming make her articles on data storage and data recovery accessible for a wide audience.
Laura Pompeu
With 10 years of experience in journalism, SEO & digital marketing, Laura Pompeu uses her skills and experience to manage (and sometimes write) content focused on technology and business strategies.
Bogdan Glushko
CEO at SalvageData Recovery, Bogdan Glushko has over 18 years of experience in high-security data recovery. Over the years, he's been able to help restore data after logical errors, physical failures, or even ransomware attacks, for individuals, businesses, and government agencies alike.
I think there's an issue with my storage device, but I'm not sure Start a free evaluation →
I need help getting my data back right now Call now (800) 972-3282
MedusaLocker ransomware was first detected in September 2019 and has since infected and encrypted systems across multiple sectors, with primary targeting the healthcare sector.
The MedusaLocker actors predominantly rely on vulnerabilities in remote services to access victims’ networks. The actors use services such as RDP, PsExec, and SMB to infect other hosts in the victim’s network.
SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against ransomware attacks. And, in case of a ransomware attack, contact our ransomware recovery experts immediately.
What kind of malware is MedusaLocker?
MedusaLocker is a ransomware that has been known to target multiple organizations, especially healthcare and pharmaceutical companies. It operates as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments.
While it shares a similar name, there is no clear evidence that MedusaLocker has any connection with the Medusa ransomware.
Everything we know about MedusaLocker ransomware
Confirmed Name
- MedusaLocker virus
Threat Type
- Ransomware
- Crypto Virus
- Files locker
- Double extortion
Is There a Free Decryptor Available?
No, there’s no public decryptor for MedusaLocker ransomware.
Distribution methods
- Phishing emails
- Remote Services
Consequences
- Files are encrypted and locked
- Data leak
- Double extortion
What is in the MedusaLocker ransom note
The ransom note is placed into every folder and outlines how to communicate with the attackers and pay the ransom in Bitcoin. It also warns victims against renaming, modifying, or attempting to decrypt the encrypted files by using third-party decryptors, stating that it would permanently corrupt them, and advises against modifying or renaming the encrypted files.
If you realize you’re a ransomware victim, contacting SalvageData ransomware removal experts provides you with a secure data recovery service and ransomware removal after an attack.
MedusaLocker ransomware methods of infection and encryption
MedusaLocker ransomware uses various techniques to spread and infect other hosts in the victim’s network.
- Remote Services: MedusaLocker ransomware uses remote services such as Remote Desktop Protocol (RDP), PsExec, and Server Message Block (SMB).
- Phishing Campaigns: MedusaLocker ransomware can also gain entry into networks via phishing campaigns in which the malware is attached to emails.
Once MedusaLocker ransomware gains access to a network, it follows the typical ransomware attack lifecycle and blocks victims from accessing their data. It encrypts the victim’s data by using a combination of AES and RSA-2048.
MedusaLocker will further establish persistence by deleting local backups, disabling start-up recovery, and ultimately placing a ransom note into every folder containing a file with the compromised host’s encrypted data.
Do not comply with the ransom demand! Contact local authorities and a ransomware removal service to restore your files and remove any potential threat.
Known MedusaLocker ransomware IOCs
IOC stands for “Indicator of Compromise” in the context of cybersecurity. It is a forensic term that refers to the evidence on a device that points out a security breach. Although the data of IOC is gathered after a suspicious incident, security event, or unexpected call-outs from the network, it is a good cybersecurity practice to check IOC data regularly to detect unusual activities and vulnerabilities.
IOC includes file extensions, IP addresses, file hashes, email addresses, payment wallets, and ransom note file names. Since MedusaLocker is RaaS, its IOCs will vary according to the variant and the cybercriminal gang operating it.
CISA’s MedusaLocker advisory also includes the following IOCs:
Known ransom note file names:
- how_to_ recover_data.html
- how_to_recover_data.html.marlock01
- instructions.html
- READINSTRUCTION.html
- !!!HOW_TO_DECRYPT!!!.
Known encrypted file extensions:
- .1btc
- .matlock20
- .readinstructions
- .bec
- .mylock
- .deadfilesgr
- .lockfiles
- .tyco
- .fileslock
- .zoomzoom
- .marlock08
- .marlock25
How to handle a MedusaLocker ransomware attack
The first step to recovering from a MedusaLocker attack is to isolate the infected computer by disconnecting from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the FBI and the Internet Crime Complaint Centre (IC3).
To report a ransomware attack you must gather every information you can about it, including:
- Screenshots of the ransom note
- Communications with threat actors (if you have them)
- A sample of an encrypted file
However, if you prefer to contact professionals, then it’s best to leave every infected machine the way it is and ask for an emergency ransomware removal service. These professionals are equipped to quickly mitigate the damage, gather evidence, potentially reverse the encryption, and restore the system.
Restarting or shutting down the system may compromise the recovery of the system. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload, may help reverse-engineer the encryption itself and lead to the decryption of the data or a better understanding of how it operates.
1. Contact your Incident Response provider
A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.
An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.
If you contact your IR service provider, they can take over immediately and guide you through every step in the ransomware recovery. However, if you decide to remove the ransomware yourself and recover the files with your IT team, then you can follow the next steps.
2. Identify the ransomware infection
You can identify which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), using a ransomware ID tool, or it will be on the ransom note. With this information, you can look for a public decryption key.
3. Remove the ransomware and eliminate exploit kits
Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.
4. Use a backup to restore the data
The importance of backup for data recovery cannot be overstated, especially in the context of various potential risks and threats to data integrity.
Backups are a critical component of a comprehensive data protection strategy. They provide a means to recover from a variety of threats, ensuring the continuity of operations and preserving valuable information. In the face of ransomware attacks, where malicious software encrypts your data and demands payment for its release, having a backup allows you to restore your information without succumbing to the attacker’s demands.
Make sure to regularly test and update your backup procedures to enhance their effectiveness in safeguarding against potential data loss scenarios. There are several ways to make a backup, so you must choose the right backup medium and have at least one copy of your data stored offsite and offline.
5. Contact a ransomware recovery service
If you don’t have a backup or need help removing the malware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup. If you don’t, ransomware data recovery services can help you decrypt and recover the files.
SalvageData experts can safely restore your files and prevent MedusaLocker ransomware from attacking your network again, contact our recovery experts 24/7.
What NOT to do after a ransomware attack
You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.
Prevent the MedusaLocker ransomware attack
Preventing ransomware is the best solution for data security since it is easier and cheaper than recovering from attacks. MedusaLocker ransomware can cost your business’s future and even close its doors.
By taking these proactive measures, individuals and organizations can reduce the risk of a MedusaLocker ransomware attack and protect their data from being encrypted and held for ransom.
These are a few tips to ensure you can avoid ransomware attacks:
- Educate employees on cybersecurity and phishing awareness to help them recognize and avoid phishing attempts.
- Implement security measures, such as firewalls, antivirus software, and intrusion detection systems, to detect and block malicious traffic.
- Stay vigilant and monitor network activity for any signs of suspicious behavior.
- Keep software up to date with the latest security patches to prevent ransomware from exploiting unpatched vulnerabilities.
- Implement strong access controls, such as multi-factor authentication and regular credential monitoring, to prevent ransomware operators from gaining access to systems using stolen or weak credentials.
- Secure unmanaged devices and BYOD policies by implementing security measures such as device encryption and remote wipe capabilities.
- Regularly scan and patch internet-facing applications to prevent ransomware operators from exploiting vulnerabilities.
