{
	"id": "397a8c0c-26a2-4059-b89c-1dd1cf1cc05d",
	"created_at": "2026-04-06T00:15:10.868715Z",
	"updated_at": "2026-04-10T03:20:58.538663Z",
	"deleted_at": null,
	"sha1_hash": "3964a7c5896c77a36dbd9f13e70e643623d35dc7",
	"title": "Increase In MedusaLocker Ransomware Victims - Cyble",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1081235,
	"plain_text": "Increase In MedusaLocker Ransomware Victims - Cyble\r\nPublished: 2023-03-15 · Archived: 2026-04-05 19:17:01 UTC\r\nCyble Research \u0026 Intelligence Labs analyzes MedusaLocker ransomware in the wake of an alarming increase in its\r\nvictim count.\r\nMedusaLocker ransomware has been active since September 2019. MedusaLocker actors typically gain access to\r\nvictims’ networks by exploiting vulnerabilities in Remote Desktop Protocol (RDP).\r\nOnce Threat Actors (TAs) gain access to the network, they encrypt the victim’s data and leave a ransom note with\r\ninstructions on how victims can communicate with the TAs in every folder while encrypting files. The ransom note\r\ntells victims to make a ransom payment to TA’s crypto wallet address.\r\nMedusaLocker appears to work on Ransomware-as-a-Service (RaaS) model, which allows cybercriminals to rent the\r\nransomware and its services from the developer. In the RaaS model, ransomware operators develop the ransomware\r\nand a Command and Control panel which is then used by the affiliates to launch ransomware attacks on the targets\r\nselected by their affiliates. After a successful operation, the ransomware operators and affiliates divide the ransom\r\nextorted from victims.\r\nWorld's Best AI-Native Threat Intelligence\r\nFigure 1 illustrates the countries that have been targeted by the ransomware group since January 2023, with a total of\r\n24 victims worldwide.\r\nhttps://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/\r\nPage 1 of 17\n\nFigure 1 – Map Showing Targets of MedusaLocker\r\nMedusaLocker ransomware gang is known to target Hospital and Healthcare industries, but additionally, the gang\r\nalso targets industries such as Education and Government organizations.\r\nThe figure below shows the industries targeted by the MedusaLocker Ransomware.\r\nFigure 2 – Industries Targeted by MedusaLocker\r\nThe United States of America is the biggest target for all ransomware groups; MedusaLocker also follows this trend,\r\nwhere the largest numbers of the victims are from the United States of America.\r\nhttps://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/\r\nPage 2 of 17\n\nHowever, victims of MedusaLocker ransomware are scattered across all continents, excluding Antarctica. The figure\r\nbelow shows the countries of the affected targets.\r\nFigure 3 – Countries Targeted by MedusaLocker\r\nTechnical Details\r\nAccording to CISA, the MedusaLocker ransomware group gains initial access to the victim’s device through\r\nvulnerable Remote Desktop Protocol (RDP) configurations. The TAs also use phishing and spear phishing emails in\r\ntheir campaigns to target possible victims.\r\nThe malware sample we have identified is a 32-bit Graphical User Interface (GUI) based executable compiled with\r\nMicrosoft Visual C/C++, with a SHA 256 hash of\r\n“1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f” (shown in the figure below).\r\nWe will be performing an analysis of this ransomware executable to gain insights into its operations.\r\nhttps://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/\r\nPage 3 of 17\n\nFigure 4 – MedusaLocker File Details\r\nMutex Creation:\r\nUpon execution, the MedusaLocker creates a mutex, or mutual exclusion object, as a locking mechanism to prevent\r\ntwo threads from writing to shared memory simultaneously and to avoid reinfection of the victim.\r\nThe name of the mutex is “8761ABBD-7F85-42EE-B272-A76179687C63”. It is hardcoded into the binary, as shown\r\nin the figure below.\r\nFigure 5 – MedusaLocker Creating Mutex\r\nChecking for Administrative Privileges:\r\nAfter acquiring the mutex, the ransomware checks for the privilege of its running process. MedusaLocker requires\r\nadministrative privileges in order to carry out its malicious operations without any restrictions. To determine the\r\ncurrent privileges, the ransomware checks its own memory for a process token.\r\nTo do this, it obtains the current process and then extracts the token information from the process memory using the\r\nGetTokenInformation() function. The code for checking the process’s privileges is shown in the figure below.\r\nhttps://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/\r\nPage 4 of 17\n\nFigure 6 – MedusaLocker Checking for Admin Privileges\r\nPrivilege Escalation:\r\nThe ransomware checks whether the process is currently running with administrative privileges. If the process is not\r\nrunning with admin privileges, the ransomware employs a User Account Control (UAC) bypass technique to restart\r\nitself with elevated privileges.\r\nThis technique uses the Microsoft Connection Manager Profile Installer (CMSTP.exe), a command-line program to\r\ninstall Connection Manager service profiles. CMSTP is used to execute malicious code by routing it through a proxy\r\nserver.\r\nAn illustration of this technique is shown in the figure below.\r\nFigure 7 – MedusaLocker Performing Privilege Escalation\r\nDisabling UAC Prompt:\r\nhttps://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/\r\nPage 5 of 17\n\nThe ransomware then attempts to disable the UAC prompt so that the system will not prompt for authentication. To\r\ndo this, it modifies the “EnableLUA” registry value located at\r\nSOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Policies\\\\System to “0”. This stops UAC prompts if the process\r\nrequires higher privileges to execute.\r\nIf the registry modification fails, the ransomware changes the “ConsentPromptBehaviorAdmin” registry value to\r\n“0”, allowing it to perform operations that require elevation without consent or credentials.\r\nThe code to disable the UAC prompt is shown in the figure below.\r\nFigure 8 – MedusaLocker Disabling UAC Prompt\r\nMarking the Infected System:\r\nAfter disabling the UAC prompt, MedusaLocker marks the infected system with the registry key. MedusaLocker\r\ncreates a value “Self” in the registry key HKEY_CURRENT_USER\\SOFTWARE\\MDSLK\\ and sets the data as\r\n“svchost.exe” to the registry value, indicating that the system has already been infected by the MedusaLocker\r\nransomware.\r\nThe figure below shows the registry entry.\r\nhttps://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/\r\nPage 6 of 17\n\nFigure 9 – MedusaLocker creating registry marker\r\nCryptor Initialization:\r\nThe ransomware now initializes Cryptor, which performs AES-256 encryption on the victim’s files at a later stage.\r\nMedusaLocker ransomware contains an embedded public key which is encoded with Base64 and used to initialize\r\nthe Cryptor.\r\nThe figure below shows the Base64 string.\r\nFigure 10 – MedusaLocker Initializing Encryption\r\nPersistence:\r\nhttps://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/\r\nPage 7 of 17\n\nNow, the ransomware achieves persistence on the victim’s system by dropping itself into the “AppData” folder as\r\n“svhost.exe”. The figure below shows the ransomware code to drop itself in the AppData Folder.\r\nFigure 11 – MedusaLocker dropping itself in AppData Folder\r\nAdditionally, the MedusaLocker Ransomware creates a Schedule Task entry in the system and launches itself every\r\n15 minutes for an indefinite period.\r\nThe figure below shows the Schedule Task entry of the MedusaLocker Ransomware.\r\nFigure 12 – MedusaLocker Creating Scheduled Task Entry\r\nhttps://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/\r\nPage 8 of 17\n\nSystem Volume Enumeration:\r\nAfter persistence, the ransomware enumerates all the logical drives in the system for further operations. The figure\r\nbelow shows the malware’s routine for Enumerating Volumes in the system using the FindNextVolumeW() API.\r\nFigure 13 – MedusaLocker Enumerating the Volume Drives\r\nStopping Services:\r\nTo avoid detection and ensure efficient encryption on the victim’s machine, the MedusaLocker Ransomware also\r\nterminates various running services, including antivirus, database, and other utility services. This is done through a\r\nhardcoded list of services checked by the ransomware using the QueryServiceStatusEx() function. If any of the\r\nhardcoded services are found running, they are stopped using CloseServiceHandle().\r\nThe figure below shows the routine for stopping services.\r\nFigure 14 – MedusaLocker Stopping Services\r\nThe following table shows the targeted services:\r\nDefwatch ccEvtMgr ccSetMgr SavRoam\r\nsqlagent Sqladhlp Culserver RTVscan\r\nSQLADHLP QBIDPService Intuit.QuickBooks.FCS QBCFMonitorService\r\nhttps://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/\r\nPage 9 of 17\n\nsqlservr sqlbrowser Sqlwriter msmdsrv\r\ntomcat6 zhudongfangyu SQLADHLP vmware-usbarbitator64\r\nvmware-converter dbsrv12 dbeng8  \r\nProcess Termination:\r\nAfter killing the predefined services, the ransomware enumerates the running processes using the\r\nCreateToolhelp32Snapshot() function and then terminates the relevant process using the TerminateProcess()\r\nfunction.\r\nThis is done by checking a hardcoded list of processes identified as being related to antivirus, databases, and other\r\nutility programs. After the processes have been identified, the ransomware will terminate them to prevent any\r\ninterference with the encryption process.\r\nThe figure below shows the routine used to terminate the relevant processes.\r\nFigure 15 – MedusaLocker Terminating Processes\r\nThe processes targeted by the MedusaLocker ransomware are as follows:\r\nwxServer.exe wxServerView sqlservr.exe sqlmangr.exe\r\nRAgui.exe supervise.exe Culture.exe RTVscan.exe\r\nDefwatch.exe sqlbrowser.exe winword.exe QBW32.exe\r\nQBDBMgr.exe qbupdate.exe QBCFMonitorService.exe axlbridge.exe\r\nhttps://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/\r\nPage 10 of 17\n\nQBIDPService.exe httpd.exe fdlauncher.exe MsDtSrvr.exe\r\ntomcat6.exe java.exe 360se.exe 360doctor.exe\r\nwdswfsafe.exe fdlauncher.exe fdhost.exe GDscan.exe\r\nZhuDongFangYu.exe      \r\nDisabling Data Recovery:\r\nThe Ransomware now utilizes inbuilt tools to delete the backups from the victim’s system. It runs the command\r\nprompt and executes commands that remove the shadow copies and system backups, making it impossible to recover\r\nthe data from the infected system. As a result, the victim is compelled to pay the ransom in order to regain access to\r\ntheir data.\r\nThe figure below shows the commands executed by the MedusaLocker.\r\nFigure 16 – MedusaLocker Removing the Backup from the victim’s system\r\nAdditionally, the ransomware executes the SHEmptyRecycleBinW() API to clear the Recycle Bin, effectively\r\nobstructing the victim’s ability to restore any deleted files. The code for this is shown in the figure below.\r\nFigure 17 – MedusaLocker Emptying the Recycle Bin\r\nExcluding Folders from Encryption:\r\nhttps://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/\r\nPage 11 of 17\n\nAfter impairing data recovery, the ransomware creates a list of folders to exclude from encryption. This ensures that\r\nthe important executables and temporary files used for normal operations are not encrypted while data files are still\r\nencrypted.\r\nThe figure below shows the code for the excluded file paths.\r\nFigure 18 – MedusaLocker Excluding Important Folders\r\nData Encryption:\r\nThe ransomware now begins encrypting the files in the victim’s machine. The data is encrypted using the AES 256\r\nencryption algorithm, with the encryption key further encrypted by the RSA public key embedded in the\r\nransomware. Without the private key, it is impossible to decrypt the AES key.\r\nThe figure below shows the code to encrypt the files.\r\nhttps://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/\r\nPage 12 of 17\n\nFigure 19 – MedusaLocker’s Encryption Routine\r\nWhen encrypting each file, the ransomware leaves a ransom note in the folder and adds the extension ‘itlock4’. It\r\nalso excludes multiple file extensions such as .exe, .dll, .sys, .ini, .rdp, etc. files from encryption.\r\nThe figure below shows the encrypted files and ransom note.\r\nFigure 20 – MedusaLocker Ransom note and Encrypted Files\r\nIn the end, MedusaLocker Ransomware presents the ransom note to its victims. The ransom note includes a personal\r\nID for the victim’s identification and a Tor contact page to facilitate negotiations and decrypt sample files.\r\nThe figure below shows the ransom note of MedusaLocker.\r\nhttps://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/\r\nPage 13 of 17\n\nFigure 21 – Ransom note Dropped by the MedusaLocker Ransomware\r\nNetwork Activities:\r\nThe MedusaLocker checks the active network adaptor and uses Internet Control Message Protocol (ICMP) to scan\r\nfor all connected systems.\r\nThe figure below depicts the ransomware using ICMP to scan for connected systems.\r\nhttps://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/\r\nPage 14 of 17\n\nFigure 22 – MedusaLocker Enumerating the Network using ICMP Protocol\r\nAfter enumeration, the ransomware scans for SMB shares connected to the system. It creates a list of SMB shares,\r\nexcluding any hidden shares indicated by a name starting with “$”.\r\nThe code for this scanning process is shown in the figure below.\r\nFigure 23 – MedusaLocker enumerating the SMB Shares\r\nEventually, the ransomware propagates to all shared resources and proceeds to infect other connected systems within\r\nthe network.\r\nConclusion\r\nMedusaLocker ransomware is a highly sophisticated form of malicious software that can potentially cause severe\r\ndata losses and financial losses for its victims. This advanced ransomware is difficult to detect and stop, and its\r\nencryption algorithms are extremely difficult to break.\r\nhttps://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/\r\nPage 15 of 17\n\nThere have been numerous cyber attacks in a short period of time, targeting all kinds of industries and geographic\r\nlocations. More cyber attacks from the MedusaLocker Ransomware are expected to occur in the future.\r\nOur Recommendations\r\nThe following essential cybersecurity best practices create the first line of control against attackers. We recommend\r\nthat our readers follow the best practices as given below:\r\nFrequent Audits, Vulnerability Assessments, and Penetration Testing of organizational assets, including\r\nnetwork and software.\r\nMonitor incoming emails from suspicious and potentially malicious domains.\r\nBack-up data on different locations and implement  Business Continuity Planning (BCP). Keeping the Backup\r\nServers isolated from the infrastructure helps fast data recovery.\r\nEnforcement of VPN to safeguard endpoints.\r\nConduct frequent training on security awareness for the company’s employees to inform them about emerging\r\nthreats.\r\nImplementation of technology to understand the behavior of the ransomware-malware families and variants to\r\nblock malicious payloads and counter potential attacks.\r\nSee Cyble Vision in Action\r\nMITRE ATT\u0026CK® Techniques\r\nTactic\r\nTechnique\r\nID\r\nTechnique Name\r\nInitial Access\r\nT1133\r\nT1566\r\nExternal Remote Services\r\nPhishing\r\nPersistence T1053.005   Scheduled Task/Job: Scheduled Task\r\nPrivilege\r\nEscalation\r\nT1548.002\r\nAbuse Elevation Control Mechanism: Bypass User\r\nAccount Control\r\nDefense Evasion T1562.001 Impair Defenses: Disable or Modify Tools\r\nDiscovery T1135 Network Share Discovery\r\nImpact T1486 Data Encrypted for Impact\r\nIndicators of Compromise (IOCs)\r\nIndicators\r\nIndicator\r\nType\r\nDescription\r\n3618b68d7db4614ec8d33b5052cc0e85\r\n15177fbb65d707b308bac50f612b795494314001\r\nMD5\r\nSHA1\r\nMedusaLocker\r\nExecutable\r\nhttps://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/\r\nPage 16 of 17\n\n1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f SHA256\r\n28ec152fadc5119c31f1fc984735b324\r\n48e24f5c2c7572ed29a0e58b02e596f0638bc1f6\r\n3e22df5e41df76a46ab360be05fe0ee5c336c84fd55db7763fe4e214dca194b4\r\nMD5\r\nSHA1\r\nSHA256\r\nMedusaLocker\r\nExecutable\r\nd9fa435d704caebc54408e03227f0044\r\n0f36dff0f1beaf57d68b12fa0234853638c1c6f0\r\n8724e513ca2b4ce055bb846220e57c2ab622f296bf7a768393a701319d3eac70\r\nMD5\r\nSHA1\r\nSHA256\r\nMedusaLocker\r\nExecutable\r\n2979ed84c4ca3deb2924bd1f26bf88bd\r\n8f01f9112904389e0b53a25506ef69f99cc0fa1b\r\nbcf49e8f493c9eff83d9bc891e91dc91777f02b4f176e44b20f9a2d651f20fc3\r\nMD5\r\nSHA1\r\nSHA256\r\nMedusaLocker\r\nExecutable\r\n2316091f02153ac20dff768513aae1a4\r\n6b7b1017b9313ab87fccf4ea08a427c1499b89dc\r\n940bddbc6ef19b211f2022d61bf4d006969da11f9fe0beba98586e554dfcc741\r\nMD5\r\nSHA1\r\nSHA256\r\nMedusaLocker\r\nExecutable\r\n3618b68d7db4614ec8d33b5052cc0e85\r\n15177fbb65d707b308bac50f612b795494314001\r\n1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f\r\nMD5\r\nSHA1\r\nSHA256\r\nMedusaLocker\r\nExecutable\r\ne03fa1e0dd3dc0fb6960e76219ddf86c\r\nc92fd297256aa8d70607e33188b91442208aaeb3\r\n0a758a922bdaacc08a84a62881eeb0f17075058ecf7329cbc10a9bfe1fba0814\r\nMD5\r\nSHA1\r\nSHA256\r\nMedusaLocker\r\nExecutable\r\n168447d837fc71deeee9f6c15e22d4f4\r\n80ad29680cb8cecf58d870ee675b155fc616097f\r\nadd2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b\r\nMD5\r\nSHA1\r\nSHA256\r\nMedusaLocker\r\nExecutable\r\n57ee7ef00e009c4048d78406b3dca5b7\r\n81467ca16e87dfacd9c965f105fb5b30548f1ded\r\ne0221e692fa3476cb2d862c1aee07f3e87d83411ef9a534fdf8d20efbaee0394\r\nMD5\r\nSHA1\r\nSHA256\r\nMedusaLocker\r\nExecutable\r\naa82e62207615d2f227ce9a0e488b912\r\nd9390b6c1478970a9e7b8a3fe854a42efdc582f6\r\n79e009e12ba6d60665faf5bdd523d80f0fe6be28694914cf0fa64929b4052e67\r\nMD5\r\nSHA1\r\nSHA256\r\nMedusaLocker\r\nExecutable\r\nSource: https://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/\r\nhttps://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.cyble.com/2023/03/15/unmasking-medusalocker-ransomware/"
	],
	"report_names": [
		"unmasking-medusalocker-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434510,
	"ts_updated_at": 1775791258,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3964a7c5896c77a36dbd9f13e70e643623d35dc7.pdf",
		"text": "https://archive.orkl.eu/3964a7c5896c77a36dbd9f13e70e643623d35dc7.txt",
		"img": "https://archive.orkl.eu/3964a7c5896c77a36dbd9f13e70e643623d35dc7.jpg"
	}
}