{ "id": "5057395c-c4e4-471d-a13e-ab0913c50828", "created_at": "2026-04-06T01:30:39.06891Z", "updated_at": "2026-04-10T03:33:54.982833Z", "deleted_at": null, "sha1_hash": "06e111d5726c1c42c5756f0ac3f9fb5d4bb77ddb", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 53128, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-06 00:09:34 UTC\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool MedusaLocker\n Tool: MedusaLocker\nNames\nMedusaLocker\nAKO Doxware\nAKO Ransomware\nMedusaReborn\nCategory Malware\nType Ransomware, Big Game Hunting, Reconnaissance\nDescription\n(Cybereason) The MedusaLocker ransomware first emerged in September 2019, infecting\nand encrypting Windows machines around the world. There have been reports of\nMedusaLocker attacks across multiple industries, especially the healthcare industry which\nsuffered a great deal of ransomware attacks during the COVID-19 pandemic.\nIn order to maximize the chances of successful encryption of the files on the compromised\nmachine, MedusaLocker restarts the machine in safe mode before execution. This method\nis used to avoid security tools that might not run when the computer starts in safe mode.\nMedusaLocker avoids encrypting executable files, most likely to avoid rendering the\ntargeted system unusable for paying the ransom. To make it even more dangerous,\nMedusaLocker uses a combination of AES and RSA-2048, making the procedure of brute\nforcing the encryption practically impossible.\nInformation https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2680cd2f-0911-418c-8414-d01b475df8f2\nPage 1 of 2\n\nMalpedia AlienVault OTX Last change to this tool card: 24 October 2024\nDownload this tool card in JSON format\nAll groups using tool MedusaLocker\nChanged Name Country Observed\nAPT groups\n EmpireMonkey, CobaltGoblin [Unknown] 2018-Mar 2021\n1 group listed (1 APT, 0 other, 0 unknown)\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2680cd2f-0911-418c-8414-d01b475df8f2\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2680cd2f-0911-418c-8414-d01b475df8f2\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2680cd2f-0911-418c-8414-d01b475df8f2" ], "report_names": [ "listgroups.cgi?u=2680cd2f-0911-418c-8414-d01b475df8f2" ], "threat_actors": [ { "id": "56daf304-dd2c-4fa1-a01f-8c0a7e5e5c30", "created_at": "2022-10-25T16:07:23.586985Z", "updated_at": "2026-04-10T02:00:04.676803Z", "deleted_at": null, "main_name": "EmpireMonkey", "aliases": [ "Anthropoid Spider", "CobaltGoblin", "EmpireMonkey" ], "source_name": "ETDA:EmpireMonkey", "tools": [ "AKO Doxware", "AKO Ransomware", "MedusaLocker", "MedusaReborn" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "186f3cc2-500c-4233-b688-8b6d6e08e2a3", "created_at": "2023-01-06T13:46:39.098169Z", "updated_at": "2026-04-10T02:00:03.212492Z", "deleted_at": null, "main_name": "ANTHROPOID SPIDER", "aliases": [ "Empire Monkey", "CobaltGoblin" ], "source_name": "MISPGALAXY:ANTHROPOID SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439039, "ts_updated_at": 1775792034, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/06e111d5726c1c42c5756f0ac3f9fb5d4bb77ddb.pdf", "text": "https://archive.orkl.eu/06e111d5726c1c42c5756f0ac3f9fb5d4bb77ddb.txt", "img": "https://archive.orkl.eu/06e111d5726c1c42c5756f0ac3f9fb5d4bb77ddb.jpg" } }