{
	"id": "d3210c27-66b7-46f4-8491-e12ab77a59b0",
	"created_at": "2026-04-06T00:10:15.433385Z",
	"updated_at": "2026-04-10T03:21:05.916618Z",
	"deleted_at": null,
	"sha1_hash": "a826de6df04c8190adde7d831f47b2538a87e3d8",
	"title": "Part 3: Analysing MedusaLocker ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68204,
	"plain_text": "Part 3: Analysing MedusaLocker ransomware\r\nBy By Theta\r\nArchived: 2026-04-05 18:04:41 UTC\r\nWe have mapped the TTPs of this adversary to the MITRE ATT\u0026CK framework as a heatmap of activity. We can\r\nsee that this adversary used a limited, but powerful, selection of TTPs.\r\nUnfortunately, we’re seeing the same TTPs being used over and over again for ransomware attacks, even if the\r\ninitial access or lateral movement exploits vary.\r\nWe keep getting asked by customers to “tell us what we don’t know about our vulnerabilities”. While the use of\r\ntraditional defensive frameworks like ISO 27001, NIST or PCI serve a compliance function, thinking like an\r\nattacker can rapidly highlight blind spots in your environment.\r\nPhishing attacks are a nuisance but largely a means to an end for adversaries and won’t put you out of business on\r\ntheir own. A ransomware attack will lose reputation, money and customers.\r\nNever mind encrypting user workstations or file shares - destroying ERP and EDI systems (as happened here) will\r\nleave an organisation completely unable to trade and haemorrhaging money. That’s not counting the cost of\r\nrestoring business systems, which is incredibly labour-intensive, let alone the underlying IT infrastructure and the\r\nother parts of the Incident Response process, or the intangibles like the reputational damage.\r\nWithout enough cash reserves or insurance coverage, there’s a real chance of even medium-sized business ending\r\nup underwater depending on time-to-recovery and the bill at the end. You might be tempted to just pay the ransom\r\n– but this isn’t a great option either as there’s no guarantee you’ll get what you paid for. You still need to run\r\nthrough the IR (Incident Response) process to find the intruders and kick them out of your network.\r\nWe should also pause and take note of the human cost of these operations – they are brutal. The toll they take on\r\nthose who suffer them is worse than intelligence motivated intrusions where “damage” is a more abstract concept.\r\nThere is often a massive time crunch to restore systems at the expense of well-planned incident response process.\r\nSeveral additional folders and files were deployed by the actor.\r\nThe following 4 deleted files were able to be recovered from the filesystem of the server with timestamps and\r\nother metadata suggesting they are associated with the actor. The purpose of these is not immediately clear and\r\nthus are not placed into this timeline.\r\nEXPORT.EXE (35K) SHA256: c945efb7f7c77cda9e54962b707268da57532ccd89253f0ccc98911cae7b3d77\r\nPCC.EXE (512K) SHA256: ef05323d278d60b3573c8d5b3bffd3a356eb4b8490c759ad71706e3e2eb9e470\r\nPUZZLE.EXE (17K) SHA256: aa49a4459cfd27cf4be40f8fa3bdabc198b93cb57f215aa61b28838af4b59005\r\nhttps://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/\r\nPage 1 of 9\n\nDespite the naming convention they are not directly executable and appear to be obscured with high entropy\r\nvalues (\u003e 7.99)\r\n_backup.bat (SHA256:\r\n465A1ACD9BE9B7BA027F34DFDF07C7A0ACEA6723F9D38A4E4CB920DC05425878)\r\nNetworkShare_pre2.exe (SHA256:\r\n47E3555461472F23AB4766E4D5B6F6FD260E335A6ABC31B860E569A720A5446)  \r\n \r\n{\r\n\"name\": \"Medusa Locker TTPs - June 2020 \",\r\n\"version\": \"2.2\",\r\n\"domain\": \"mitre-enterprise\",\r\n\"description\": \"\",\r\n\"filters\": {\r\n\"stages\": [\r\n\"act\"\r\n],\r\n\"platforms\": [\r\n\"Windows\"\r\n]\r\n},\r\n\"sorting\": 0,\r\n\"viewMode\": 0,\r\n\"hideDisabled\": false,\r\n\"techniques\": [\r\n{\r\n\"techniqueID\": \"T1110\",\r\n\"tactic\": \"credential-access\",\r\n\"color\": \"#e60d0d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1059\",\r\n\"tactic\": \"execution\",\r\n\"color\": \"#fce93b\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1003\",\r\n\"tactic\": \"credential-access\",\r\nhttps://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/\r\nPage 2 of 9\n\n\"color\": \"#e6550d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1002\",\r\n\"tactic\": \"exfiltration\",\r\n\"color\": \"#fce93b\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1486\",\r\n\"tactic\": \"impact\",\r\n\"color\": \"#e60d0d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1074\",\r\n\"tactic\": \"collection\",\r\n\"color\": \"#e6550d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1089\",\r\n\"tactic\": \"defense-evasion\",\r\n\"color\": \"#e60d0d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1487\",\r\n\"tactic\": \"impact\",\r\n\"color\": \"#e60d0d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1041\",\r\nhttps://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/\r\nPage 3 of 9\n\n\"tactic\": \"exfiltration\",\r\n\"color\": \"#e6550d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1133\",\r\n\"tactic\": \"persistence\",\r\n\"color\": \"#e60d0d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1133\",\r\n\"tactic\": \"initial-access\",\r\n\"color\": \"#e60d0d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1061\",\r\n\"tactic\": \"execution\",\r\n\"color\": \"#e60d0d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1490\",\r\n\"tactic\": \"impact\",\r\n\"color\": \"#e60d0d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1046\",\r\n\"tactic\": \"discovery\",\r\n\"color\": \"#e6550d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\nhttps://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/\r\nPage 4 of 9\n\n\"techniqueID\": \"T1135\",\r\n\"tactic\": \"discovery\",\r\n\"color\": \"#e6550d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1040\",\r\n\"tactic\": \"credential-access\",\r\n\"color\": \"#fce93b\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1040\",\r\n\"tactic\": \"discovery\",\r\n\"color\": \"#fce93b\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1086\",\r\n\"tactic\": \"execution\",\r\n\"color\": \"#e60d0d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1219\",\r\n\"tactic\": \"command-and-control\",\r\n\"color\": \"#e60d0d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1076\",\r\n\"tactic\": \"lateral-movement\",\r\n\"color\": \"#e60d0d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\nhttps://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/\r\nPage 5 of 9\n\n{\r\n\"techniqueID\": \"T1018\",\r\n\"tactic\": \"discovery\",\r\n\"color\": \"#e60d0d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1053\",\r\n\"tactic\": \"execution\",\r\n\"color\": \"#e60d0d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1053\",\r\n\"tactic\": \"persistence\",\r\n\"color\": \"#e60d0d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1053\",\r\n\"tactic\": \"privilege-escalation\",\r\n\"color\": \"#e60d0d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1064\",\r\n\"tactic\": \"defense-evasion\",\r\n\"color\": \"#e6550d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1064\",\r\n\"tactic\": \"execution\",\r\n\"color\": \"#e6550d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\nhttps://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/\r\nPage 6 of 9\n\n},\r\n{\r\n\"techniqueID\": \"T1035\",\r\n\"tactic\": \"execution\",\r\n\"color\": \"#e6550d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1016\",\r\n\"tactic\": \"discovery\",\r\n\"color\": \"#fce93b\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1049\",\r\n\"tactic\": \"discovery\",\r\n\"color\": \"#fce93b\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1529\",\r\n\"tactic\": \"impact\",\r\n\"color\": \"#fce93b\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1078\",\r\n\"tactic\": \"defense-evasion\",\r\n\"color\": \"#e6550d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1078\",\r\n\"tactic\": \"persistence\",\r\n\"color\": \"#e6550d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\nhttps://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/\r\nPage 7 of 9\n\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1078\",\r\n\"tactic\": \"privilege-escalation\",\r\n\"color\": \"#e6550d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1078\",\r\n\"tactic\": \"initial-access\",\r\n\"color\": \"#e6550d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1077\",\r\n\"tactic\": \"lateral-movement\",\r\n\"color\": \"#e6550d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1047\",\r\n\"tactic\": \"execution\",\r\n\"color\": \"#e6550d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1028\",\r\n\"tactic\": \"execution\",\r\n\"color\": \"#e6550d\",\r\n\"comment\": \"\",\r\n\"enabled\": true,\r\n\"metadata\": []\r\n},\r\n{\r\n\"techniqueID\": \"T1028\",\r\n\"tactic\": \"lateral-movement\",\r\n\"color\": \"#e6550d\",\r\n\"comment\": \"\",\r\nhttps://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/\r\nPage 8 of 9\n\n\"enabled\": true,\r\n\"metadata\": []\r\n}\r\n],\r\n\"gradient\": {\r\n\"colors\": [\r\n\"#ff6666\",\r\n\"#ffe766\",\r\n\"#8ec843\"\r\n],\r\n\"minValue\": 0,\r\n\"maxValue\": 100\r\n},\r\n\"legendItems\": [\r\n{\r\n\"color\": \"#e60d0d\",\r\n\"label\": \"Observed TTPs\"\r\n},\r\n{\r\n\"color\": \"#e6550d\",\r\n\"label\": \"Med/High Confidence TTPs\"\r\n},\r\n{\r\n\"color\": \"#fce93b\",\r\n\"label\": \"Low/Med Confidence TTPs\"\r\n}\r\n],\r\n\"metadata\": [],\r\n\"showTacticRowBackground\": false,\r\n\"tacticRowBackground\": \"#dddddd\",\r\n\"selectTechniquesAcrossTactics\": true\r\n}\r\n \r\nSource: https://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/\r\nhttps://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/"
	],
	"report_names": [
		"part-3-analysing-medusalocker-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434215,
	"ts_updated_at": 1775791265,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a826de6df04c8190adde7d831f47b2538a87e3d8.pdf",
		"text": "https://archive.orkl.eu/a826de6df04c8190adde7d831f47b2538a87e3d8.txt",
		"img": "https://archive.orkl.eu/a826de6df04c8190adde7d831f47b2538a87e3d8.jpg"
	}
}