{
	"id": "6e68fff5-8649-4291-a864-7a72857821e4",
	"created_at": "2026-04-06T00:19:04.243056Z",
	"updated_at": "2026-04-10T13:11:55.141489Z",
	"deleted_at": null,
	"sha1_hash": "0abf840a6df0558a920af332a5a121cf057249c2",
	"title": "#StopRansomware: MedusaLocker | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 105009,
	"plain_text": "#StopRansomware: MedusaLocker | CISA\r\nPublished: 2022-08-11 · Archived: 2026-04-05 17:07:40 UTC\r\nSummary\r\nActions to take today to mitigate cyber threats from ransomware:\r\n• Prioritize remediating known exploited vulnerabilities.\r\n• Train users to recognize and report phishing attempts.\r\n• Enable and enforce multifactor authentication.\r\nNote: this joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories\r\nfor network defenders that detail various ransomware variants and ransomware threat actors. These\r\n#StopRansomware advisories include recently and historically observed tactics, techniques, and procedures\r\n(TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit\r\nstopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats\r\nand no-cost resources.\r\nThe Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the\r\nDepartment of the Treasury, and the Financial Crimes Enforcement Network (FinCEN) are releasing this CSA to\r\nprovide information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors\r\npredominantly rely on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’ networks. The\r\nMedusaLocker actors encrypt the victim's data and leave a ransom note with communication instructions in every\r\nfolder containing an encrypted file. The note directs victims to provide ransomware payments to a specific Bitcoin\r\nwallet address. MedusaLocker appears to operate as a Ransomware-as-a-Service (RaaS) model based on the\r\nobserved split of ransom payments. Typical RaaS models involve the ransomware developer and various affiliates\r\nthat deploy the ransomware on victim systems. MedusaLocker ransomware payments appear to be consistently\r\nsplit between the affiliate, who receives 55 to 60 percent of the ransom; and the developer, who receives the\r\nremainder. \r\nDownload the PDF version of this report: pdf, 633 kb\r\nTechnical Details\r\nMedusaLocker ransomware actors most often gain access to victim devices through vulnerable Remote Desktop\r\nProtocol (RDP) configurations [T1133 ]. Actors also frequently use email phishing and spam email campaigns—\r\ndirectly attaching the ransomware to the email—as initial intrusion vectors [T1566 ].\r\nMedusaLocker ransomware uses a batch file to execute PowerShell script invoke-ReflectivePEInjection\r\n[T1059.001 ]. This script propagates MedusaLocker throughout the network by editing the\r\nEnableLinkedConnections value within the infected machine’s registry, which then allows the infected machine\r\nto detect attached hosts and networks via Internet Control Message Protocol (ICMP) and to detect shared storage\r\nvia Server Message Block (SMB) Protocol. \r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-181a\r\nPage 1 of 10\n\nMedusaLocker then: \r\nRestarts the LanmanWorkstation service, which allows registry edits to take effect.\r\nKills the processes of well-known security, accounting, and forensic software.\r\nRestarts the machine in safe mode to avoid detection by security software [T1562.009 ].\r\nEncrypts victim files with the AES-256 encryption algorithm; the resulting key is then encrypted with an\r\nRSA-2048 public key [T1486 ].\r\nRuns every 60 seconds, encrypting all files except those critical to the functionality of the victim’s machine\r\nand those that have the designated encrypted file extension.\r\nEstablishes persistence by copying an executable ( svhost.exe or svhostt.exe ) to the\r\n%APPDATA%\\Roaming directory and scheduling a task to run the ransomware every 15 minutes.\r\nAttempts to prevent standard recovery techniques by deleting local backups, disabling startup recovery\r\noptions, and deleting shadow copies [T1490 ].\r\nMedusaLocker actors place a ransom note into every folder containing a file with the victim's encrypted data. The\r\nnote outlines how to communicate with the MedusaLocker actors, typically providing victims one or more email\r\naddress at which the actors can be reached. The size of MedusaLocker ransom demands appears to vary depending\r\non the victim’s financial status as perceived by the actors. \r\n \r\nIndicators of Compromise\r\nEncrypted File Extensions      \r\n.1btc .matlock20 .marlock02 .readinstructions\r\n.bec .mylock .jpz.nz .marlock11\r\n.cn .NET1 .key1 .fileslocked\r\n.datalock .NZ .lock .lockfilesUS\r\n.deadfilesgr .tyco .lockdata7 .rs\r\n.faratak .uslockhh .lockfiles .tyco\r\n.fileslock .zoomzoom .perfection .uslockhh\r\n.marlock13 n.exe .Readinstruction .marlock08\r\n.marlock25 nt_lock20 .READINSTRUCTION  \r\n.marlock6 .marlock01 .ReadInstructions  \r\nRansom Note File Names  \r\nhow_to_ recover_data.html  how_to_recover_data.html.marlock01\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-181a\r\nPage 2 of 10\n\nRansom Note File Names  \r\ninstructions.html  READINSTRUCTION.html \r\n!!!HOW_TO_DECRYPT!!! How_to_recovery.txt\r\nreadinstructions.html  readme_to_recover_files\r\nrecovery_instructions.html  HOW_TO_RECOVER_DATA.html\r\nrecovery_instruction.html  \r\nPayment Wallets\r\n14oxnsSc1LZ5M2cPZeQ9rFnXqEvPCnZikc \r\n1DRxUFhvJjGUdojCzMWSLmwx7Qxn79XbJq \r\n18wRbb94CjyTGkUp32ZM7krCYCB9MXUq42 \r\n1AbRxRfP6yHePpi7jmDZkS4Mfpm1ZiatH5\r\n1Edcufenw1BB4ni9UadJpQh9LVx9JGtKpP\r\n1DyMbw6R9PbJqfUSDcK5729xQ57yJrE8BC \r\n184ZcAoxkvimvVZaj8jZFujC7EwR3BKWvf \r\n14oH2h12LvQ7BYBufcrY5vfKoCq2hTPoev\r\nbc1qy34v0zv6wu0cugea5xjlxagsfwgunwkzc0xcjj\r\nbc1q9jg45a039tn83jk2vhdpranty2y8tnpnrk9k5q\r\nbc1qz3lmcw4k58n79wpzm550r5pkzxc2h8rwmmu6xm\r\n1AereQUh8yjNPs9Wzeg1Le47dsqC8NNaNM\r\n1DeNHM2eTqHp5AszTsUiS4WDHWkGc5UxHf\r\n1HEDP3c3zPwiqUaYuWZ8gBFdAQQSa6sMGw\r\n1HdgQM9bjX7u7vWJnfErY4MWGBQJi5mVWV\r\n1nycdn9ebxht4tpspu4ehpjz9ghxlzipll\r\n12xd6KrWVtgHEJHKPEfXwMVWuFK4k1FCUF\r\n1HZHhdJ6VdwBLCFhdu7kDVZN9pb3BWeUED\r\n1PormUgPR72yv2FRKSVY27U4ekWMKobWjg\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-181a\r\nPage 3 of 10\n\nPayment Wallets\r\n14cATAzXwD7CQf35n8Ea5pKJPfhM6jEHak\r\n1PopeZ4LNLanisswLndAJB1QntTF8hpLsD\r\nEmail Addresses  \r\nwillyhill1960@tutanota[.]com  unlockfile@cock[.]li\r\nzlo@keem[.]ne  unlockmeplease@airmail[.]cc \r\nzlo@keemail[.]me  unlockmeplease@protonmail[.]com \r\nzlo@tfwno[.]gf  willyhill1960@protonmail[.]com \r\nsupport@ypsotecs[.]com support@imfoodst[.]com \r\nEmail Addresses  \r\ntraceytevin@protonmail[.]com  support@itwgset[.]com\r\nunlock_file@aol[.]com  support@novibmaker[.]com\r\nunlock_file@outlook[.]com  support@securycasts[.]com \r\nsupport@exoprints[.]com rewmiller-1974@protonmail[.]com\r\nsupport@exorints[.]com  rpd@keemail[.]me\r\nsupport@fanbridges[.]com  soterissylla@wyseil[.]com \r\nsupport@faneridges[.]com support@careersill[.]com \r\nperfection@bestkoronavirus[.]com  karloskolorado@tutanota[.]com\r\npool1256@tutanota[.]com  kevynchaz@protonmail[.]com \r\nrapid@aaathats3as[.]com korona@bestkoronavirus[.]com\r\nrescuer@tutanota[.]com lockPerfection@gmail[.]com\r\nithelp01@decorous[.]cyou lockperfection@gmail[.]com \r\nithelp01@wholeness[.]business mulierfagus@rdhos[.]com\r\nithelp02@decorous[.]cyou [rescuer]@cock[.]li \r\nithelp02@wholness[.]business 107btc@protonmail[.]com \r\nithelpresotre@outlook[.]com 33btc@protonmail[.]com \r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-181a\r\nPage 4 of 10\n\nEmail Addresses  \r\ncmd@jitjat[.]org  777decoder777@protonmail[.]com\r\ncoronaviryz@gmail[.]com 777decoder777@tfwno[.]gf\r\ndec_helper@dremno[.]com andrewmiller-1974@protonmail[.]com\r\ndec_helper@excic[.]com  angelomartin-1980@protonmail[.]com\r\ndec_restore@prontonmail[.]com  ballioverus@quocor[.]com\r\ndec_restore1@outlook[.]com beacon@jitjat[.]org\r\nbitcoin@sitesoutheat[.]com  beacon@msgsafe[.]io\r\nbriansalgado@protonmail[.]com best666decoder@tutanota[.]com \r\nbugervongir@outlook[.]com bitcoin@mobtouches[.]com \r\nbest666decoder@protonmail[.]com  encrypt2020@outlook[.]com \r\ndecoder83540@cock[.]li fast-help@inbox[.]lv\r\ndecra2019@gmail[.]com  fuc_ktheworld1448@outlook[.]com\r\ndiniaminius@winrof[.]com  fucktheworld1448@cock[.]li\r\ndirhelp@keemail[.]me  gartaganisstuffback@gmail[.]com \r\nEmail Addresses  \r\nemaila.elaich@iav.ac[.]ma gavingonzalez@protonmail[.]com\r\nemd@jitjat[.]org gsupp@onionmail[.]org\r\nencrypt2020@cock[.]li  gsupp@techmail[.]info\r\nbest666decoder@protonmail[.]com  helper@atacdi[.]com \r\nithelp@decorous[.]cyou helper@buildingwin[.]com \r\nithelp@decorous[.]cyoum helprestore@outlook[.]com\r\nithelp@wholeness[.]business helptorestore@outlook[.]com\r\nTOR Addresses\r\nhttp://gvlay6u4g53rxdi5.onion/6-iSm1B1Ehljh8HYuXGym4Xyu1WdwsR2Av-6tXiw1BImsqoLh7pd207Rl6XYoln7sId \r\nhttp://gvlay6u4g53rxdi5.onion/8-grp514hncgblilsjtd32hg6jtbyhlocr5pqjswxfgf2oragnl3pqno6fkqcimqin\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-181a\r\nPage 5 of 10\n\nTOR Addresses\r\nhttp://gvlay6y4g53rxdi5.onion/21-8P4ZLCsMETPaLw9MkSlXJsNZWdHe0rxjt-XmBgZLWlm5ULGFCOJFuVdEymmxysofwu\r\nhttp://gvlay6u4g53rxdi5.onion/2l-8P4ZLCsMTPaLw9MkSlXJsNZWdHeOrxjtE9lck1MuXPYo29daQys6gomZZXUImN7Z \r\nhttp://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-DcaE9HeHywqSHvdcIwOndCS4PuWASX8g \r\nhttp://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-kB4rQXGKyxGiLyw7YDsMKSBjyfdwcyxo\r\nhttp://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-bET6JbB9vEMZ7qYBPqUMCxOQExFx4iOi \r\nhttp://gvlay6u4g53rxdi5. onion/8-MO0Q7O97Hgxvm1YbD7OMnimImZJXEWaG-RbH4TvdwVTGQB3X6VOUOP3lgO6YOJEOW\r\nhttp://gvlay6u4g53rxdi5.onion/8-gRp514hncgb1i1sjtD32hG6jTbUh1ocR-Uola2Fo30KTJvZX0otYZgTh5txmKwUNe \r\nhttp://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-OWQwD1w1Td7hY7IGUUjxmHMoFSQW6blg \r\nhttp://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-uGHwkkWCoUtBbZWN50sSS4Ds8RABkrKy \r\nhttp://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-Tj3PRnQlpHc9OftRVDGAWUulvE80yZbc \r\nhttp://gvlay6u4g53rxdi5.onion/8-Ww5sCBhsL8eM4PeAgsfgfa9lrqa81r31-\r\ntDQRZCAUe4164X532j9Ky16IBN9StWTH \r\nhttp://gvlay6u4g53rxdi5.onion/21-wIq5kK9gGKiTmyups1U6fABj1VnXIYRB-I5xek6PG2EbWlPC7C1rXfsqJBlWlFFfY\r\nqd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion\r\nhttp://medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion/leakdata/[REDACTED]\r\nDisclaimer: Many of these observed IP addresses are several years old and have been historically linked to\r\nMedusaLocker ransomware. We recommend these IP addresses be investigated or vetted by organizations prior to\r\ntaking action, such as blocking.\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-181a\r\nPage 6 of 10\n\nIP Address Last Observed\r\n195.123.246.138 Nov-2021\r\n138.124.186.221 Nov-2021\r\n159.223.0.9 Nov-2021\r\n45.146.164.141 Nov-2021\r\n185.220.101.35 Nov-2021\r\n185.220.100.249 Sep-2021\r\n50.80.219.149 Sep-2021\r\n185.220.101.146 Sep-2021\r\n185.220.101.252 Sep-2021\r\n179.60.150.97 Sep-2021\r\n84.38.189.52 Sep-2021\r\n94.232.43.63 Jul-2021\r\n108.11.30.103 Apr-2021\r\n194.61.55.94 Apr-2021\r\n198.50.233.202 Apr-2021\r\n40.92.90.105 Jan-2021\r\n188.68.216.23 Dec-2020\r\n87.251.75.71 Dec-2020\r\n196.240.57.20 Oct-2020\r\n198.0.198.5 Aug-2020\r\n194.5.220.122 Mar-2020\r\n194.5.250.124 Mar-2020\r\n194.5.220.124 Mar-2020\r\n104.210.72.161 Nov-2019\r\nMITRE ATT\u0026CK Techniques\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-181a\r\nPage 7 of 10\n\nMedusaLocker actors use the ATT\u0026CK techniques listed in Table 1.\r\nTable 1: MedusaLocker Actors ATT\u0026CK Techniques for Enterprise\r\nInitial Access    \r\nTechnique Title ID Use\r\nExternal Remote\r\nServices\r\nT1133\r\nMedusaLocker actors gained access to victim devices through\r\nvulnerable RDP configurations.\r\nPhishing T1566\r\nMedusaLocker actors used phishing and spearphishing to obtain\r\naccess to victims' networks.\r\nExecution    \r\nTechnique Title ID Use\r\nCommand and\r\nScripting Interpreter:\r\nPowerShell\r\nT1059.001\r\nMedusaLocker actors may abuse PowerShell commands and scripts\r\nfor execution.\r\nDefense Evasion    \r\nTechnique Title ID Use\r\nImpair Defenses: Safe\r\nMode Boot\r\nT1562.009\r\nMedusaLocker actors may abuse Windows safe mode to disable\r\nendpoint defenses. Safe mode starts up the Windows operating\r\nsystem with a limited set of drivers and services.\r\nImpact    \r\nTechnique Title ID Use\r\nData Encrypted for\r\nImpact\r\nT1486\r\nMedusaLocker actors encrypt data on target systems or on large\r\nnumbers of systems in a network to interrupt availability to system\r\nand network resources.\r\nInhibit System\r\nRecovery\r\nT1490\r\nMedusaLocker actors may deny access to operating systems\r\ncontaining features that can help fix corrupted systems, such as\r\nbackup catalog, volume shadow copies, and automatic repair.\r\nMitigations\r\nImplement a recovery plan that maintains and retains multiple copies of sensitive or proprietary data and\r\nservers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, or the\r\ncloud).\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-181a\r\nPage 8 of 10\n\nImplement network segmentation and maintain offline backups of data to ensure limited interruption to the\r\norganization.\r\nRegularly back up data and password protect backup copies stored offline. Ensure copies of critical data\r\nare not accessible for modification or deletion from the system where the data resides.\r\nInstall, regularly update, and enable real time detection for antivirus software on all hosts.\r\nInstall updates for operating systems, software, and firmware as soon as possible.\r\nReview domain controllers, servers, workstations, and active directories for new and/or unrecognized\r\naccounts.\r\nAudit user accounts with administrative privileges and configure access controls according to the principle\r\nof least privilege.\r\nDisable unused ports.\r\nConsider adding an email banner to emails received from outside your organization.\r\nDisable hyperlinks in received emails.\r\nEnforce multifactor authentication (MFA).\r\nUse National Institute of Standards and Technology (NIST) standards for developing and managing\r\npassword policies:\r\nUse longer passwords consisting of at least 8 characters and no more than 64 characters in length.\r\nStore passwords in hashed format using industry-recognized password managers.\r\nAdd password user “salts” to shared login credentials.\r\nAvoid reusing passwords.\r\nImplement multiple failed login attempt account lockouts.\r\nDisable password “hints”.\r\nRefrain from requiring password changes unless there is evidence of password compromise. Note:\r\nNIST guidance suggests favoring longer passwords and no longer require regular and frequent\r\npassword resets. Frequent password resets are more likely to result in users developing password\r\n“patterns” cyber criminals can easily decipher.\r\nRequire administrator credentials to install software.\r\nOnly use secure networks; avoid using public Wi-Fi networks.\r\nConsider installing and using a virtual private network (VPN) to establish secure remote connections.\r\nFocus on cybersecurity awareness and training. Regularly provide users with training on information\r\nsecurity principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities, such\r\nas ransomware and phishing scams.\r\n \r\nResources\r\nStopransomware.gov is a whole-of-government approach that gives one central location for ransomware\r\nresources and alerts.\r\nResource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center\r\n(MS-ISAC) Joint Ransomware Guide\r\nNo-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment\r\nReporting\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-181a\r\nPage 9 of 10\n\nTo report an incident and request technical assistance, contact CISA at Central@cisa.dhs.gov or 1-844-\r\nSay-CISA, or FBI through a local field office.\r\nFinancial Institutions must ensure compliance with any applicable Bank Secrecy Act requirements,\r\nincluding suspicious activity reporting obligations. Indicators of compromise (IOCs), such as suspicious\r\nemail addresses, file names, hashes, domains, and IP addresses, can be provided under Item 44 of the\r\nSuspicious Activity Report (SAR) form. For more information on mandatory and voluntary reporting of\r\ncyber events via SARs, see FinCEN Advisory FIN-2016-A005, Advisory to Financial Institutions on\r\nCyber-Events and Cyber-Enabled Crime, October 25, 2016; and FinCEN Advisory FIN-2021-A004,\r\nAdvisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments, November\r\n8, 2021, which updates FinCEN Advisory FIN-2020-A006.\r\nThe U.S. Department of State’s Rewards for Justice (RFJ) program offers a reward of up to $10 million for\r\nreports of foreign government malicious activity against U.S. critical infrastructure. See the RFJ website\r\nfor more information and how to report information securely.\r\nContact Information\r\nTo report suspicious or criminal activity related to information found in this Joint Cybersecurity Advisory, contact\r\nyour local FBI field office at www.fbi.gov/contact-us/field-offices. When available, please include the following\r\ninformation regarding the incident: date, time, and location of the incident; type of activity; number of people\r\naffected; type of equipment used for the activity; the name of the submitting company or organization; and a\r\ndesignated point of contact. To report incidents and anomalous activity or to request incident response resources or\r\ntechnical assistance related to this threat, contact CISA at contact@mail.cisa.dhs.gov .\r\nRevisions\r\nJune 30, 2022: Initial Version\r\nSource: https://www.cisa.gov/uscert/ncas/alerts/aa22-181a\r\nhttps://www.cisa.gov/uscert/ncas/alerts/aa22-181a\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cisa.gov/uscert/ncas/alerts/aa22-181a"
	],
	"report_names": [
		"aa22-181a"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434744,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0abf840a6df0558a920af332a5a121cf057249c2.pdf",
		"text": "https://archive.orkl.eu/0abf840a6df0558a920af332a5a121cf057249c2.txt",
		"img": "https://archive.orkl.eu/0abf840a6df0558a920af332a5a121cf057249c2.jpg"
	}
}