{
	"id": "d6ddb218-7c7f-4f5c-a141-59a2a7a12978",
	"created_at": "2026-04-06T00:14:18.135746Z",
	"updated_at": "2026-04-10T13:12:58.234958Z",
	"deleted_at": null,
	"sha1_hash": "8ebdc79e5eae0d27884c16db42c018d9e9aa3e13",
	"title": "Technical Analysis of MedusaLocker Ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 389960,
	"plain_text": "Technical Analysis of MedusaLocker Ransomware\r\nBy No items found.\r\nPublished: 2025-08-21 · Archived: 2026-04-05 22:02:04 UTC\r\nAuthor: Anandeshwar Unnikrishnan\r\nEditor: Bablu Kumar\r\nResearch indicates that while ransomware breach costs have declined slightly from USD 4.62 million to USD 4.54\r\nmillion in 2021, ransomware is still responsible for 11% of breaches. The most targeted sectors (about 57%) are\r\ngovernment, technology, healthcare, and academic institutions.\r\nMedusaLocker is a ransomware family that appeared in September 2019 and was employed rapidly for attacks on\r\ncompanies from all over the world. It was particularly aimed at hospitals and other organizations in the healthcare\r\nindustry.\r\nThis technical report is inspired by the CISA Cybersecurity Advisory and provides an in-depth analysis of the\r\nmalware and its privilege escalation, anti-detection, network scanning, encryption techniques, etc.\r\nModus Operandi\r\nMedusaLocker predominantly relies on vulnerabilities in Remote Desktop Protocol (RDP) to access victims’\r\nnetworks.\r\nThe victim’s data is encrypted and a ransom note with communication instructions is placed in every folder\r\ncontaining an encrypted file.\r\nVictims are provided with a specific Bitcoin wallet address for ransom.\r\nMedusa possibly operates as a Ransomware-as-a-Service (RaaS) model.\r\nTechnical Summary\r\nThe ransomware performs UAC bypass (privilege escalation) to run the malware with administrative rights.\r\nThe user data is locked using AES and the AES key is protected with RSA encryption.\r\nA scheduled task is created to run the locker every 15 minutes.\r\nThe ransomware enumerates and terminates specific processes running on the target system. Some services\r\nare deleted to ensure smooth execution.\r\nA network reconnaissance can also be conducted via a ping scan to identify connected assets.\r\nThe ransomware can lock files both on local and connected systems.\r\nAlso read the detailed report on Increased Cyber Attacks on the Global Healthcare Sector\r\nTechnical Analysis\r\nStage I – Pre-Encryption Operations\r\nhttps://cloudsek.com/technical-analysis-of-medusalocker-ransomware/\r\nPage 1 of 13\n\nThe MedusaLocker initiates its execution by retrieving the locale information of the victim such as the region and\r\nlanguage set by the user.\r\nMutex Creation\r\nA mutex is created to ensure that multiple instances of malware are not running on the compromised system.\r\nProcess of mutex creation\r\nAfter the mutex check, the malware proceeds to check its privilege escalation by obtaining a process token of the\r\nmalware and checking if the token is elevated via the “TokenElevation Class” passed to\r\nadvapi32.GetTokenInformation API. This way the malware can confirm if it is running with elevated privileges of\r\nan administrator shell.\r\nPrivilege Escalation\r\nPreparing for privilege escalation\r\nIf the malware is not running with elevated privileges, it performs a UAC elevation bypass via the CMSTPLUA\r\nCOM interface. UAC (User Account Control) bypass mechanism is an overused and very common vector seen in\r\nransomware to gain access to the resources with high integrity level, thus obtaining administrative privileges on the\r\ntarget system.\r\nhttps://cloudsek.com/technical-analysis-of-medusalocker-ransomware/\r\nPage 2 of 13\n\nAlso Read What Is Redeemer Ransomware and How Does It Spread: A Technical Analysis\r\nAfter elevating the process, the malware proceeds to disable two features, EnableLUA and\r\nConsentPromptBehaviorAdmin, responsible for notifying the user of any suspicious activity on the system via\r\nregistry.\r\nDisabling the two features via registry\r\nA new registry key “MDSLK” is created by the malware on the victim system. This is one of the clear indicators\r\nof MedusaLocker.\r\nhttps://cloudsek.com/technical-analysis-of-medusalocker-ransomware/\r\nPage 3 of 13\n\nCreation of new registry key “MDSLK”\r\nCryptographic Initialization\r\nThe MedusaLocker uses AES and RSA in its locking operation. The Advanced Encryption Standard (AES) is a\r\nsymmetric block cipher implemented to encrypt sensitive data. RSA is a public key cryptosystem used for secure\r\ndata transmission.\r\nThe user data is encrypted using AES and the AES key is protected by RSA encryption.\r\nInitialization of cryptographic context for RSA by the malware\r\nInitialization of cryptographic context for AES by the malware\r\nPersistence\r\nMedusaLocker proceeds to copy the malware file to %APPDATA% of the user as svhost.exe. The AppData folder\r\ncontains custom settings and other information that system applications need for their operation. It is a hidden folder\r\nthat includes application settings, files, and data unique to different applications, along with all the data specific to\r\nthe system user profile.\r\nThen, by abusing the COM TaskScheduler class 0f87369f-a4e5-4cfc-bd3e-73e6154572dd, a scheduled job is\r\ncreated on the target system that executes the malware, in every 15 minutes.\r\nhttps://cloudsek.com/technical-analysis-of-medusalocker-ransomware/\r\nPage 4 of 13\n\nCopying malware to the APPDATA folder and creating a scheduled job\r\nThe rclsid value helps in identifying the specific class targeted by the malware to achieve an objective. In this case,\r\nthe ID value 0f87369f-a4e5-4cfc-bd3e-73e6154572dd confirms that the malware is accessing the task scheduler\r\nclass implemented by C:\\Windows\\System32\\taskschd.dll.\r\nMalware targeting the task scheduler class\r\nDevice and Volume Enumeration\r\nA volume or logical drive is a single accessible storage area with a single file system, usually resident on a single\r\npartition of a hard disk. Before the encryption process, the MedusaLocker enumerates (enumeration exposes\r\npotential security flaws) the local volumes and attached shares on the target system. On further investigating the\r\ncode, the following APIs were found to be used to perform the enumeration:\r\nGetLogicalDrives\r\nWNetGetConnectionW\r\nFindFirstVolumeW\r\nQueryDosDeviceW\r\nFindNextVolumeW\r\nThe malware targets the SystemReserved partition by mounting it via SetVolumeMountPointW. During the locking\r\nphase, the data of the reserved partition gets encrypted to prevent data recovery.\r\nhttps://cloudsek.com/technical-analysis-of-medusalocker-ransomware/\r\nPage 5 of 13\n\nMalware targeting the SystemReserved partition\r\nAlso read Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 1)\r\nService and Process Termination\r\nAfter volume enumeration and mounting the reserved partition, the MedusaLocker terminates a list of processes and\r\ndeletes system services. The table below contains a list of services targeted by Medusa.\r\nServices to be Terminated\r\nwrapper DefWatch ccEvtMgr ccSetMgr SavRoam\r\nsqlservr sqlagent sqladhlp Culserver RTVscan\r\nsqlbrowser SQLADHLP QBIDPService Intuit.QuickBooks.FCS QBCFMonitorService\r\nsqlwriter msmdsrv SQLADHLP tomcat6 zhudongfangyu\r\nvmware-usbarbitator64vmware-converter\r\ndbsrv12 dbeng8\r\nThe malware opens each service in the list via the OpenServiceW API and monitors its state via\r\nQueryServiceStatusEx. If the state of the service is SERVICE_STOP_PENDING then the malware sleeps till a\r\nnew state change happens.\r\nhttps://cloudsek.com/technical-analysis-of-medusalocker-ransomware/\r\nPage 6 of 13\n\nLocker waits for a state change\r\nOnce a change in state occurs, Medusa retrieves and stops services (depending on the target service) by sending a\r\nSERVICE_CONTROL_STOP control signal.\r\nSending a SERVICE_CONTROL_STOP control signal\r\nAfter stopping the service, the malware deletes this service as well.\r\nhttps://cloudsek.com/technical-analysis-of-medusalocker-ransomware/\r\nPage 7 of 13\n\nLocker deletes services after stopping it\r\nThe locker retrieves a pointer to the structure that holds active processes on the system and walks through the list via\r\nCreateToolhelp32Snapshot, Process32FirstW, and Process32NextW APIs. If a match is found, the process is\r\nterminated via the TerminateProcess API.\r\nCode for terminating processes\r\nThe table below contains the list of running processes targeted by Medusa.\r\nhttps://cloudsek.com/technical-analysis-of-medusalocker-ransomware/\r\nPage 8 of 13\n\nRunning Processes Being Targeted\r\nwxServer.exe wxServerView sqlservr.exe sqlmangr.exe RAgui.exe\r\nsupervise.exe Culture.exe RTVscan.exe Defwatch.exe sqlbrowser.exe\r\nwinword.exe QBW32.exe QBDBMgr.exe qbupdate.exe QBCFMonitorService.exe\r\naxlbridge.exe QBIDPService.exe httpd.exe fdlauncher.exe MsDtSrvr.exe\r\ntomcat6.exe java.exe 360se.exe 360doctor.exe wdswfsafe.exe\r\nfdlauncher.exe fdhost.exe GDscan.exe ZhuDongFangYu.exe\r\nRecovery and Backup Removal\r\nOnce all the processes and services have been enumerated, the malware proceeds to remove the backups and\r\nneutralizes the recovery mechanisms before encrypting data.\r\nPreparing for backups removal and neutralizing recovery mechanisms\r\nTo execute the above string commands, a new process is created and the string is passed as a parameter.\r\nCreation of a new process to execute the commands\r\nhttps://cloudsek.com/technical-analysis-of-medusalocker-ransomware/\r\nPage 9 of 13\n\nThe malware then proceeds to empty the recycle bin.\r\nMalware clearing the recycle bin\r\nNetwork Scan\r\nThe MedusaLocker enables the EnableLinkedConnections feature in the registry to make the remote shares\r\naccessible from the elevated administrative process session. This feature plays an important role in a networked\r\nenvironment, especially when the user wants to access a network resource from an elevated process.\r\nLocker preparing to make the remote shares accessible\r\nThe ransomware is capable of crafting ICMP packets and sending them across the network to scan for connected\r\ninstances and to enumerate attached shares.\r\nhttps://cloudsek.com/technical-analysis-of-medusalocker-ransomware/\r\nPage 10 of 13\n\nCode for implementing the ICMP scan to enumerate the connected hosts in the network.\r\nAlso read Technical Analysis of Code-Signed “Blister” Malware Campaign (Part 2)\r\nAfter performing the scan, the MedusaLocker uses NetShareEnum API to gather information about the resources\r\nshared by the remote server in the network. This shows the malware’s capability to infect resources connected to\r\nthe compromised network.\r\nCode for infecting resources connected to the compromised network\r\nStage II – Encryption and Locking\r\nThe locker has separate control flows for locking user data on a local system and network-connected hosts. The\r\nencryption routine (sub_5258E0) used in both cases is the same.\r\nhttps://cloudsek.com/technical-analysis-of-medusalocker-ransomware/\r\nPage 11 of 13\n\nMalware’s control flow for encryption and locking\r\nThe encryption routine is implemented as follows:\r\nThe ransomware creates a new file to save the encrypted data via CreateFileW API.\r\nThe sub_535840 performs the encryption and writes data into the newly created file.\r\nThe MoveFileExW API is used to rename the file and add “.marlock11” extension.\r\nhttps://cloudsek.com/technical-analysis-of-medusalocker-ransomware/\r\nPage 12 of 13\n\nCode for the implementation of the encryption routine\r\nIndicators of Compromise (IoCs)\r\nExecutable Hashes\r\n634d84758d8d922bbfb0ad3c904c38fc7989f11503877acf02ad5dad3775df7a\r\nc41926a4e667a38bd712cd8fff2c555c51d7f719a949c9be8c1f74232100444b\r\n98c9e56cba271bf7b32fc17d7966d067d9b549594f8dc60c941f93346e376c00\r\n8939141fb565c044895627bbeb522d840d24899dec53545e4a925012dbf83230\r\nec2ec1c316045d5e2e43cc0f1df738e6367b520310a4b7a644717d3aebda43f4\r\n6c51f28a6ab35c91e789a4b1a05032c87a3f03006019ba4997dc092ad1c8a625\r\ncb12325d13acb03ad4f9977f426baf8b4688af04d4ffe23aa5f1bbd747a147c0\r\nfbe10da8d483a0db6686b1f03f18b00dbc60c69fb9a9f4a941764c2c3426367c\r\nf1c361bb3b649918bc5b3ad3fc5cbd1bbd7c585fbe2557410e267d161d3bb998\r\n465ab4311a7db9f0bc10921cf6a0da7a746c4023dd78fdcec1c253eee69e5b9d\r\nb15840fb0547fc774f371166adb89cd7a58647d4e379256a2f9806dd5a338627\r\n99a72b56725196298391f3d52b8536b018aa8b60d97c443161e912430079ed30\r\n19e31469f150f69bda363c8a3454113236620aa44155dbe845e7689522724b0b\r\nc79c6b680a2caa71b3ad052f60ce6da463eb576b8196bb3bbdccd003853769d4\r\n58a0db1ae0d7d8c5cb5db5e5a24fd1088b8029a4e51c02e7b77d400c17bcb39a\r\n66a13e8102f809e23e0ad0ba88ced5eecfa319797c9f709d090994a7143d858a\r\na3fe92224060ec183a25296999c18d4f86149649f1a701ac91b04d73e8678495\r\ndbac4f2fffcb4e09aad772895647e8f161b1ac713592fe47c5e8207c85722f13\r\nSource: https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/\r\nhttps://cloudsek.com/technical-analysis-of-medusalocker-ransomware/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/"
	],
	"report_names": [
		"technical-analysis-of-medusalocker-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434458,
	"ts_updated_at": 1775826778,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8ebdc79e5eae0d27884c16db42c018d9e9aa3e13.pdf",
		"text": "https://archive.orkl.eu/8ebdc79e5eae0d27884c16db42c018d9e9aa3e13.txt",
		"img": "https://archive.orkl.eu/8ebdc79e5eae0d27884c16db42c018d9e9aa3e13.jpg"
	}
}