{
	"id": "21ca4062-ae1c-46bd-8882-9de262f22789",
	"created_at": "2026-04-06T00:10:14.61721Z",
	"updated_at": "2026-04-10T03:21:29.864657Z",
	"deleted_at": null,
	"sha1_hash": "73a3b440c7a5bc261f1f319f52d19c03151de3f6",
	"title": "Threat Spotlight: MedusaLocker",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1124547,
	"plain_text": "Threat Spotlight: MedusaLocker\r\nBy Edmund Brumaghin\r\nPublished: 2020-04-23 · Archived: 2026-04-05 14:18:56 UTC\r\nThursday, April 23, 2020 11:37\r\nBy Edmund Brumaghin, with contributions from Amit Raut.\r\nOverview\r\nMedusaLocker is a ransomware family that has been observed being deployed since its discovery in 2019. Since\r\nits introduction to the threat landscape, there have been several variants observed. However, most of the\r\nfunctionality remains consistent. The most notable differences are changes to the file extension used for encrypted\r\nfiles and the look and feel of the ransom note that is left on systems following the encryption process.\r\nWhile most of MedusaLocker's functionality is consistent with other modern ransomware families, there are\r\nfeatures that set MedusaLocker apart from many of the other ransomware families commonly observed.\r\nMedusaLocker can encrypt the contents of mapped network drives that may be present on infected\r\nsystems.\r\nIt manipulates Windows functionality to force network drives to be remapped so that their contents can\r\nalso be encrypted.\r\nThe malware uses ICMP sweeping to profile the network to identify other systems that can be used to\r\nmaximize the likelihood of a ransom payment.\r\nMedusaLocker can also perform ICMP sweeping to identify other systems on the same network. If the malware is\r\nable to locate them, MedusaLocker then attempts to leverage the SMB protocol to discover accessible network\r\nhttps://blog.talosintelligence.com/2020/04/medusalocker.html\r\nPage 1 of 9\n\nlocations and if files are discovered in those locations, they are also encrypted and ransomed in the same manner\r\nas other locally stored data.\r\nMedusaLocker\r\nMedusaLocker features characteristics typical of ransomware that is commonly seen across the threat landscape.\r\nUpon execution, it copies itself to the %APPDATA%\\Roaming\\ directory.\r\nTo achieve persistence, the malware creates scheduled tasks within Windows to execute the PE32 that was\r\npreviously stored in %APPDATA%\\Roaming.\r\nhttps://blog.talosintelligence.com/2020/04/medusalocker.html\r\nPage 2 of 9\n\nInterestingly, the scheduled task is also configured to be executed every 15 minutes after the initial infection\r\nprocess, likely as a way to continue to maintain the ability to impact files and other data after the initial run of the\r\nransomware.\r\nAs previously mentioned, the malware is configured to iterate through disk partitions that may be present and\r\naccessible on the infected system and encrypting the contents.\r\nFiles that are encrypted have a new file extension appended to them. As there are several variants currently being\r\nobserved across the threat landscape this file extension varies. In the case of the sample analyzed that file\r\nextension was \".encrypted.\"\r\nAdditionally, in each directory in which the malware discovers data to be encrypted, a ransom note is saved titled\r\n\"HOW_TO_RECOVER_DATA.\" This ransom note functions similarly to the ransom notes we've grown\r\naccustomed to seeing — it provides victims with instructions for contacting the threat actor to facilitate payment\r\nof their ransom demands.\r\nhttps://blog.talosintelligence.com/2020/04/medusalocker.html\r\nPage 3 of 9\n\nThe ransom notes vary across samples and feature slightly different HTML styling.\r\nIn order to minimize the ability for victims to easily recover from MedusaLocker, the \"vssadmin\" utility built into\r\nthe Windows operating system is used to delete shadow copies, a technique very commonly used by different\r\nransomware families.\r\nhttps://blog.talosintelligence.com/2020/04/medusalocker.html\r\nPage 4 of 9\n\nAs previously mentioned, the malware also attempts to perform network-based discovery to identify accessible\r\nlocations in which additional files can be encrypted using ICMP.\r\nIf additional hosts are discovered, the malware uses SMB to enumerate shared data storage locations that the\r\ninfected system may be able to connect to.\r\nAdditionally, the malware makes use of the Windows registry in an attempt to force an infected system to\r\nreconnect to shared network drives to facilitate the encryption of additional data.\r\nOne of the binaries analyzed also contained the following debug artifacts.\r\nGiven the network awareness present within MedusaLocker, the amount of damage that a single infected system\r\ncould do inside of a corporate environment is high.\r\nOne interesting characteristic present across MedusaLocker samples is a static list of mutexes that the malware\r\nuses. The following hardcoded mutex values were identified during our analysis of a large number of\r\nMedusaLocker samples.\r\nhttps://blog.talosintelligence.com/2020/04/medusalocker.html\r\nPage 5 of 9\n\n{3E5FC7F9-9A51-4367-9063-A120244FBEC7}\r\n{6EDD6D74-C007-4E75-B76A-E5740995E24C}\r\n{8761ABBD-7F85-42EE-B272-A76179687C63}\r\n{E398BEDC-2FD6-4BDE-BFC4-F5633E13B901}\r\nOrganizations may consider leveraging mutex blocklisting as an additional way to protect systems against\r\nMedusaLocker infections as this would effectively block the execution of any applications attempting to use these\r\nhardcoded values and prevent successful infection from taking place.\r\nHow to defend against MedusaLocker\r\nTo defend against MedusaLocker, it is important to ensure a well-organized, multi-layered cybersecurity program\r\nis in place within your organization.\r\nEmail and spam filters are critical in the case of MedusaLocker as email is one of the malware distribution\r\nvectors commonly abused by attackers.\r\nPerform regular updates and system hardening as MedusaLocker attempts to encrypt the contents of SMB\r\nshares as well as local storage devices.\r\nGive employees regular phishing training and conduct regular awareness programs.\r\nEmploy strong password policies and use multi-factor authentication, such as Cisco Duo.\r\nEnsure updated endpoint security software, such as Cisco AMP for Endpoints, is deployed across your\r\nnetwork.\r\nOrganizations should also ensure that they have a robust offline backup and recovery strategy in place prior to\r\nneeding it. This strategy should be regularly verified and updated as business requirements change over time to\r\nensure that recovery is possible.\r\nConclusion\r\nOrganizations should be prepared to defend against this and other ransomware attacks. The emergence of \"big\r\ngame hunting\" has proven that simply having backup and recovery strategies is not enough. Organizations should\r\nalso leverage a robust defense-in-depth strategy to protect their environments from malware such as\r\nMedusaLocker. Ransomware developers continue to add functionality that enables them to maximize the damage\r\nthey can inflict upon corporate networks in an effort to increase the likelihood of receiving a ransom payment\r\nfrom victims. This trend is likely to continue, and organizations should have response and recovery plans in place\r\nto ensure that they can resume normal operations following destructive attacks such as this.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/2020/04/medusalocker.html\r\nPage 6 of 9\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors. Exploit Prevention present within AMP is designed to protect customers from unknown attacks such\r\nas this automatically.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nCisco AMP users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints are infected\r\nwith this specific threat. For specific OSqueries on this threat, click here.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), Cisco ISR, and Meraki MX.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. The following SIDs have been released to detect this threat: 53662-53665.\r\nIndicators of Compromise (IOC)\r\nThe following indicators of compromise have been observed as being associated with MedusaLocker.\r\nFile Hashes (SHA256)\r\nhttps://blog.talosintelligence.com/2020/04/medusalocker.html\r\nPage 7 of 9\n\n00ebd55a9de1fcdd57550d97463b6bc417184730e3f4646253ba53c4b473b7c0\r\n02f250a3df59dec575f26679ebd25de7c1d5b4d9d08016685f87a3628a393f92\r\n03df9dbf3fa35b88d948935e122a0217228ed7d1d3c892265791b55e38fae24c\r\n03ebe8dc4828536fea08858fdfc3b53237eb514fe8cf6bc7134afb41b22f96a2\r\n0432b4ad0f978dd765ac366f768108b78624dab8704e119181a746115c2bef75\r\n0a82724cfb44769e69d75318b0868cd6de4aa789951362b3e86199e6c7922610\r\n0bad6382f3e3c8bf90f4a141b344154f8f70e31a98f354b8ac813b9fcdaf48f7\r\n0c840606112df18bfa06d58195a0ed43715c56899445d55f55bc3789fde14ed9\r\n124c65d01c6ba01dead43e246ae4c300d7345c8f46ae71ebf101bef5510f35aa\r\n1d1e8e2bd3f8276f629e315b2ac838deaac37f3b61ceb780a58f7db611cf9669\r\n203b947a8d5016b98d5ec565cd0a20038203420b56c9c3ce736529282c7e98ec\r\n21acd48a82d4a0e9d377930220e384bc256eaaaf9457a45553636c9f63ae6731\r\n21c644438a00fb75fabb577076933a99119e9f07e71eaab3f7dc6c629860c4c0\r\n2c64f5f2bde51f7c650078aeee22a4b73e6b859a7327d0e3dd0d88a17e13dbb4\r\n30cd6f1ca0d18d125af409faf1b66d3889a12e2f1b42d3270c2ee904f01fe7f0\r\n316a5895965fdea58de100355ba1b3a14c0515a40156fc7ab64bdb5d14379888\r\n3592c9268f515efe1275760a21046a03a3067872fcb3da7b53477527123c09a7\r\n36baceccfe27fb8b1be3d4f0a9e81b9028640aeedf068d71b3a6d080e698a793\r\n383f9aa52d4d9dddb396ae22b8713ec524f1c122275da3ebd5d69d25685f2800\r\n3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01\r\n3f7cbfe8c40ec4b599ba7dea95321c377c1d9f08c56c62b6809157f73774bde8\r\n42b17e87923cb88b6ae8f0666f963c15614f89fa560e663a84a056957b74bca1\r\n44cb88c5249de0fe7dbbb9feb782f1d0327301dd6ec31810516bdfa79cc689bb\r\n45031b48fd957c9ff863b805684caceb21caf23f1cffade15915e88bd009c347\r\n45aeaffa5a8e2124e8c35e7a0e8f055fb6bb5ded8a210afd2d7fb30dcfc1f91d\r\n461f427d71d6e2e2320ed5f8e6160d6bee23a98ff929d8d8b7567dcc6118d937\r\n4ccc3a7c6b18db6f7251c447e19e24c9dde30a45e78d283ed367f6f0165c2fb1\r\n4cf090e3ae23ea6cbe76df697bf7143bcc95acfc1521fbe5af77cb5033fae87a\r\n56dea1387925e4e5eb3673c8656ce5366a74d5f105a590ae321ac3b233e12b50\r\n588a40e5d53016b2261e08229943063a71b40f034b998361c075bf7b8d5245fe\r\n590ea5fa2db24715d72c276c59434b38d21678d6dcabb41f0e370f6dc56ab26b\r\n5aa810e4891538670cc0db6274b7276abe84e8ccbbaef1d3b1208b9ad419a9fa\r\n5b7ca58a5439e639951dc045415ad71796d902039b879336c7536e3813cdf8de\r\n5e0587e61d94a40091480a2f5f78621362265b8702b3558a0db536693159865f\r\n613f0384286bf9956143e5cd7f885cc9b2cf30acaab2fe67a891ff26aaa162fc\r\n6b9ca4cbb68f23e164625614d9d074b7bb9e2c5aeb429034ed4d6440594ce64e\r\n6e3b77a1131912156c3f65f3b7e8572bd2e02b8bb7180104e8bf36e2e1451d43\r\n6eeb8de811f707ec3b77e212d415f0d79dca77b564d7738ae36612c457f451cc\r\n72f9d83c7852f2247e24113cb379fff71c06f095910726ea79479f16aac6070f\r\n7b7cce10967d657b7ad0a66270dfee7000dac8aca2e39199c9713a4ee42279c2\r\n7dc751629d80ebbcb18fc08ab90c8503825898a591f2c9fbb0d0145173c646f9\r\n85361265e3f97a280fd2950b49023f8cfcb204a55bedf8ba467f078a6e3c45e0\r\n897737252ce8e474774548b99c9bb5fc52484fe51df8e5d87945186adf7a5dd5\r\n8b80a84b2a0a5a5f9670a951492749c3798c9f4d41589872224d57d41913fb46\r\n8c2dce63957579f99a0e8c71755bd8a69298a4621d7b8984b06b69ed874f8d26\r\n959c650e9b8e2b003d81e042de8f4f81c7671437124d74136d5ec26f32a72437\r\nhttps://blog.talosintelligence.com/2020/04/medusalocker.html\r\nPage 8 of 9\n\n989408f2692a10b011471fbbdf55d9ccc8e438308393b35736fe02b45ec8c34c\r\na0ff2c622c32e05aef8e7fb2e36b693aecc8cc04e049d3b47c0e0cb50d3ab575\r\na6cc8bd23bbafd0b356404eb24b50236815a03abdfcf8d280dbedd5c45bf6282\r\na9787581be4c667438a07a060137d6a83abcc2d1e33eef1086622dece56bb48f\r\na9ce91a9a1bcbe2cd2ec023cdf2f302c8ac4f6bfe04e83a9c4edd1c47b53618e\r\nb561a5d5bb5cf659f7f23fd833244a61031bc5c5e69972b22f4ff5c495a44203\r\nb6214517043d1b0bc41f9754f851a905c5ac4af30e30a7c0725a93bfcc063374\r\nbb4d0f67360858a27da21d79bf93b5c628045883712c3c2e10917bebf6771c44\r\nc01323aae6c62466bda8e6347e64266c725e6a754b06d4fc4aad1c323d3e21ed\r\nc632ce1dc34111c66efb817f608bf3b547fc9df5fed478d736b4c53a41ba193e\r\nc7ba33d4ef49b5dd0e6ad4a17bb04733db4832c5ef6bc07da51a0a4ffd7d831f\r\nc7e71eb5d99cb54f83d3617682805bdf2991cb8fd0b4d34ecc0cf7624aaed6c8\r\nd0d8628b44da07aaac7d2bc0287897b2abaeaaeded1d62cdebb6b71078d82e3e\r\nd6223b02155d8a84bf1b31ed463092a8d0e3e3cdb5d15a72b5638e69b67c05b7\r\ndb11260b9eff22f397c4eb6e2f50d02545dbb7440046c6f12dbc68e0f32d57ce\r\nddb4776992155b9c5a26b47b53df2fed780c67b45eca5cbdf573e0dc3c20c371\r\nddca9b2f9b4c20faad500e19ba74c8d478c5be02596e9b1ff5a26ef4396bcd59\r\ndde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95\r\ne2148660af56e9fde27e26ae3db205ca2d68ef1caf968e21f498fa94d8b56ef9\r\ne71a4e701874c1a8e6bbdda79038b08b2fd36015a575fe167632eb629060b416\r\ne86234c97b85a388f5df0a4900c1902f402210a9f73c26c3f856e25ae61bb80f\r\nea4285821c6292cc0ac5b740d3bc77484858432e29843a729434d48248793d82\r\nf31b9f121c6c4fadaa44b804ec2a891c71b20439d043ea789b77873fa3ab0abb\r\nf7fac370ff01836fd82e68a9b95372f612785087821ebd8fb89fe1dcf7122b22\r\nfda65c171b36dbeb6eee6912ce85da045d06f780bf74a1000c57f0c6fb8ad415\r\nSource: https://blog.talosintelligence.com/2020/04/medusalocker.html\r\nhttps://blog.talosintelligence.com/2020/04/medusalocker.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2020/04/medusalocker.html"
	],
	"report_names": [
		"medusalocker.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434214,
	"ts_updated_at": 1775791289,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/73a3b440c7a5bc261f1f319f52d19c03151de3f6.pdf",
		"text": "https://archive.orkl.eu/73a3b440c7a5bc261f1f319f52d19c03151de3f6.txt",
		"img": "https://archive.orkl.eu/73a3b440c7a5bc261f1f319f52d19c03151de3f6.jpg"
	}
}