{
	"id": "03a219d0-2330-457f-b5d8-c4ebd2262b6f",
	"created_at": "2026-04-06T01:30:11.732862Z",
	"updated_at": "2026-04-10T13:11:44.684523Z",
	"deleted_at": null,
	"sha1_hash": "368ce11c0c73938a59fb25630958758964d913f4",
	"title": "Decrypting the Mystery of MedusaLocker",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2330335,
	"plain_text": "Decrypting the Mystery of MedusaLocker\r\nBy Shayan Ahmed Khan\r\nPublished: 2024-04-20 · Archived: 2026-04-06 00:30:07 UTC\r\n9 min read\r\nNov 13, 2023\r\nIn this analysis, I will not cover the stage1 and stage2 of MedusaLocker which includes initial access using a\r\nmaldoc and execution using a batch script that further calls a powershell to initiate the attack. I will analyze the\r\nRansomware executable only which is the stage3 of MedusaLocker.\r\nThe MedusaLocker ransomware executable covers most of the MITRE ATT\u0026CK tactics. The MITRE mapping\r\nprovided by a sandbox of public report is given below:\r\nPress enter or click to view image in full size\r\nJoe Sandbox Report\r\nThis variant of MedusaLocker ransomware has a large number of steps in its execution. It follows a number of\r\ntechniques from initial access to impact that we are going to explore one by one below:\r\nMutex\r\nLet’s start with one of the most common techniques used by ransomware which is creating a unique mutex to\r\navoid running multiple instances of same malware. This is especially helpful in case of the ransomware that have\r\nhttps://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0\r\nPage 1 of 12\n\nworm like capabilities and can propagate and infect other systems. It is also helpful in case of a persistent malware\r\nthat automatically starts execution if a time or an event has been triggered.\r\nCheck Mutex\r\nAbove code is disassembled from a stripped MedusaLocker ransomware executable. First function is a simple log\r\nsubroutine that says “[Locker] Is running”. Second function is the string format function called to format the\r\nunique mutex and then it is passed to the 3rd function which Creates the mutex.\r\nPrivilege Escalation\r\nBefore any critical operation, MedusaLocker tries to escalate privileges on the local system. It does so by abusing\r\nCOM objects to bypass UAC (User Account Control) which is a built-in security measure. There is a known UAC\r\nbypass of CMSTPLUA COM interface.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0\r\nPage 2 of 12\n\nPrivilege Escalation by abusing COM objects\r\nThis code above is escalating privileges using CMSTPLUA COM object interface. These CLSIDs are referring to\r\nwshell exec object that is used to execute the command provided in the screenshot above. Since this is a stripped\r\nbinary therefore the functions don’t make much sense. However, if i rename the functions and parameters then it\r\nwould be much easier to understand as in screenshot provided below:\r\nhttps://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0\r\nPage 3 of 12\n\nReformed Privilege Escalation Code\r\nI have just extracted a TTP from real world malware. The next step is to emulate this procedure by recreating\r\nthese malicious behaviors. Here for example, the behavior is mapped as a TTP like:\r\n1. Privilege Escalation as Tactic\r\n2. Abuse Elevation Control Mechanism as Technique\r\n3. Bypass User Account Control as sub-technique\r\nDefacement\r\nOne unique characteristic by MedusaLocker ransomware is that it adds a marker registry key that shows that a\r\nparticular system has been infected by MedusaLocker. The purpose of this procedure is not known but it looks like\r\na defacement strategy or just leaving a mark in the system. Harmful or not, it’s an important behavior followed by\r\na very dangerous ransomware.\r\nPress enter or click to view image in full size\r\nMedusaLocker marker\r\nThe path for registry key is “HKEY_CURRENT_USER\\SOFTWARE\\MDSLK\\Self”. The abbreviation of\r\nMDSLK might be MedusaLocker. This tactic is mapped on MITRE as:\r\n1. Impact as tactic\r\n2. Defacement as technique\r\n3. Internal Defacement as sub-technique\r\nPersistence\r\nMedusaLocker uses a different way of achieving persistence. It uses official Microsoft Documented Code for\r\nachieving persistence by scheduling a task with repetition of 15 minutes indefinitely. Typically, malware uses\r\neither at.exe or schtasks.exe which are official Microsoft apps for scheduling tasks, but in this case the malware\r\nscheduled task programmatically in c++ using official code from MSDN page of Microsoft.\r\nhttps://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0\r\nPage 4 of 12\n\nPersistence using task scheduling\r\nThe malware creates a copy of itself with the name of “svhost.exe” in %APPDATA% of the system and registers\r\nitself in task scheduler to be executed after every 15 minutes indefinitely. Here comes the use of mutex, when its\r\nexecuted again, it first checks if another instance is already running in the system. If it does, then malware exits\r\nand let the previous instance continue. The MITRE mapping for this behavior would be:\r\n1. Persistence as tactic\r\n2. Scheduled Task/Job as technique\r\n3. Scheduled Task as sub-technique\r\nDefense Evasion\r\nThere are multiple defense evasion techniques used by the malware, one of which is to disable UAC (User\r\nAccount Control) altogether. Since malware achieved elevated privileges using CMSTPLUA bypass. Now it can\r\nmake critical changes to the system, one of which is to disable the UAC. It does so by changing registry values as\r\nshown in the code below:\r\nhttps://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0\r\nPage 5 of 12\n\nDisable UAC\r\nIt sets the value of “EnableLUA” to 0, which means the administrator prompt will not be shown and everything\r\nwould be executed with elevated privileges. The author of this malware tried another extra step to disable UAC by\r\nsetting the value of “ConsentPromptBehaviorAdmin” to 0 as well. By any chance, if the first didn’t work then\r\nthe second technique would make sure that UAC is disabled but it would only work after system restart. Their\r\nMITRE behavioral mapping is as follow:\r\n1. Defense Evasion as tactic\r\n2. Impair Defenses as technique\r\n3. Disable or modify tools as sub-technique\r\nService Stop\r\nAnother highly critical impact this malware has is that it stops and deletes a set of pre-defined services and\r\nprocesses to avoid any interruption for its encryption process. These sets of services can be found in simple static\r\nanalysis of strings from the binary.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0\r\nPage 6 of 12\n\nList of services to stop\r\nImage above shows all the services and processes that it tries to enumerate and kills them off. It uses Windows\r\nService Control Manager APIs to interact with services to stop and even delete the services. For processes, it uses\r\nfamous process enumerator APIs “CreateToolhelp32Snapshot, Process32First and Process32Next”. MITRE\r\nmapping for this behavior is given below:\r\n1. Impact for tactic\r\n2. Service Stop for technique\r\nInhibit System Recovery\r\nLike most of the ransomware, MedusaLocker also tries to delete ways of recovering data from the victim system.\r\nHowever, unlike most ransomware, it does so by deleting multiple recovery options instead of just deleting\r\nshadow copies. It uses both vssadmin and wbadmin to delete shadow copies from the system. It also deletes\r\nother recovery options using bcdedit.exe to prevent the system from being rebooted into the recovery mode. As an\r\nadditional step, it also empties the recycle bin just to make sure.\r\nhttps://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0\r\nPage 7 of 12\n\nDeleting recovery options\r\nEvery single command listed above is executed by CreateProcessW API, which takes the first whitespace as an\r\nindicator for process name and rest as an argument to that process. Highlighted sub-routine named sub_41E9A0\r\ncreates these processes as follows:\r\nPress enter or click to view image in full size\r\nCreate process for deleting recovery files\r\nThe MITRE mapping for this malware behavior can be mapped on the Impact as follows:\r\n1. Impact for tactic\r\nhttps://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0\r\nPage 8 of 12\n\n2. Inhibit System Recovery for technique\r\nEncryption\r\nLike most of the ransomware, MedusaLocker also uses symmetric encryption for fast processing. It uses AES-256\r\nfor encrypting all files on the system. However, it uses a combination of both RSA and AES in the malware\r\nprocess. The encryption key is encrypted with the pre-defined public key embedded into the malware which could\r\nonly be decrypted with the attacker’s private key. The malware authors wrote code in such a way that every file is\r\nencrypted with random generated AES key which is in turn encrypted using RSA public key and saved on the\r\nsystem along with multiple ransom notes.\r\nPress enter or click to view image in full size\r\nEncryption Routine\r\nIn the above screenshot, it can be seen that the a base64 encoded public key has been embedded into the malware.\r\nI have extracted the strings from the malware using floss utility. The base64 encoded key is then converted to\r\nbinary format using “CryptStringToBinaryA” API for use in cryptographic functions. Finally, the symmetric key\r\nis generated using “CryptGenKey” API which is encrypted with public key and saved in the html ransom note.\r\nAfter that the encryptor is started which establishes important folders and extensions to skip during encryption as\r\nshown in the extracted strings just below the public key.\r\nGet Shayan Ahmed Khan’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe MITRE mapping for this malware behavior can be mapped on the Impact as follows:\r\n1. Impact for tactic\r\n2. Data Encrypted for Impact as technique\r\nhttps://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0\r\nPage 9 of 12\n\nTo recreate this test-case, I can write a c++ code that starts an asynchronous thread for encryptor function that\r\nconstantly searches and encrypts the files. Meanwhile, also saving the ransom html note that includes encrypted\r\nsymmetric key in it.\r\nDiscovery and Lateral Movement\r\nThe malware possesses a networking module that enables it to establish connections to remote systems within the\r\nlocal network and scan for SMB shares. The initial step involves sending an ICMP “Ping” to each system in a\r\nsequential order and verifying if a response is received. After that, the malware will proceed to examine the\r\nsystem for any open SMB shares, excluding shares with a “$” in their name, which indicates hidden shares. The\r\nmalware will then accumulate the remaining shares in a list, which will be encrypted at a later stage.\r\nPress enter or click to view image in full size\r\nPing systems\r\nThe MITRE mapping for this malware behavior can be mapped on the Impact as follows:\r\n1. Lateral Movement for tactic\r\n2. Remote Services as technique\r\n3. SMB Shares as sub-technique\r\nI have covered most of the major attack paths or malicious behaviors from MedusaLocker ransomware. In the next\r\npart of this report, I will discuss how to emulate these behaviors for thorough security testing and reporting.\r\nhttps://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0\r\nPage 10 of 12\n\nBehavior Emulation\r\nWe call every phase of attack cycle as a malicious behavior and every behavior is mapped on one MITRE tactic,\r\ntechnique, or sub-technique. Since, I have extracted all the major behaviors from MedusaLocker Ransomware\r\ntherefore, the next step is to recreate these behaviors in safe exploitation manner for complete APT emulation. I\r\nuse a combination of techniques to recreate these behaviors, like tracing API calls used by malware or coding the\r\nexact way the malware has achieved a certain behavior or contacting the same malicious urls as used by the\r\nmalware. I have also incorporated chatGPT in this behavior recreation phase, I analyze the malware, understand\r\nits practices and APIs used by malware and recreate those behaviors using chatGPT.\r\nFor example, I am going to recreate the behavior of Impact tactic with Inhibit System Recovery as the\r\ntechnique. The behavior used by malware is to execute a number of commands from an array using\r\nCreateProcessW to delete shadow copies and other recovery options from the system. I queried chatGPT with the\r\ncommands to be executed and the API by which they must be executed and as a result it recreated the whole\r\nbehavior itself.\r\nPress enter or click to view image in full size\r\nBehavior recreation with ChatGPT\r\nAs can be seen in the screenshot above, chatGPT recreated fairly similar code to what we saw in the binary during\r\nour reverse engineering of the malware sample. I can recreate most of the behaviors with little tweaking using this\r\nmethodology.\r\nOnce all the behaviors have been recreated, we then launch all behaviors in a sequential manner and then evaluate\r\nwhere a security control is weak against a particular APT campaign or attack path. This methodology of dividing\r\nand testing against individual behaviors provides us in-depth analysis of security controls and their weaknesses.\r\nOne problem with running exploit as a whole is that we do not know on what basis the security control or system\r\npolicies have been able to detect and quarantine the malware. Hence, the mitigation could not be accurate.\r\nCheck out my Github Repo of Malware Analysis Series!!!\r\nhttps://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0\r\nPage 11 of 12\n\nSample hash: 26af2222204fca27c0fdabf9eefbfdb638a8a9322b297119f85cce3c708090f0\r\nSource: https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0\r\nhttps://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://medium.com/@shaddy43/decrypting-the-mystery-of-medusalocker-7128795cf9f0"
	],
	"report_names": [
		"decrypting-the-mystery-of-medusalocker-7128795cf9f0"
	],
	"threat_actors": [],
	"ts_created_at": 1775439011,
	"ts_updated_at": 1775826704,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/368ce11c0c73938a59fb25630958758964d913f4.pdf",
		"text": "https://archive.orkl.eu/368ce11c0c73938a59fb25630958758964d913f4.txt",
		"img": "https://archive.orkl.eu/368ce11c0c73938a59fb25630958758964d913f4.jpg"
	}
}