{
	"id": "9f781d1a-7fe1-498c-991f-ba1992292d27",
	"created_at": "2026-04-06T00:07:08.553716Z",
	"updated_at": "2026-04-10T03:20:24.001076Z",
	"deleted_at": null,
	"sha1_hash": "b1efa59de1f025a0f1df548b5d5af41dccda2d48",
	"title": "MedusaLocker Ransomware: Encryption, Costs, and Protection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2898752,
	"plain_text": "MedusaLocker Ransomware: Encryption, Costs, and Protection\r\nBy Jim Walter\r\nPublished: 2019-11-28 · Archived: 2026-04-05 14:03:04 UTC\r\nIn September of this year, our research team began to track and observe a recently-identified ransomware family dubbed\r\nMedusaLocker. This particular ransomware family has a few unique features designed to ensure it encrypts as much data as\r\npossible, not only on the locally infected machine but across a network. MedusaLocker’s ability to force connectivity to\r\nremote (mapped) drives along with its persistence mechanisms are particularly problematic. In this post, we take a look at\r\nhow MedusaLocker works and how it is different from other recent ransomware strains.\r\nDelivery of MedusaLocker follows a fairly standard and established pattern. Current data indicates that the malicious\r\npayloads are distributed via phishing and spam email. The examples we have analyzed show the malware attached directly\r\nin email messages as opposed to containing a link to a malicious site.\r\nMedusaLocker Aims To Encrypt All Remote Drives\r\nUpon initial execution of the threat MedusaLocker will take steps to ensure that it is able to access and infect remote and\r\nadjacent hosts. The malware will check the value of “EnableLinkedConnections” under the\r\nHKEY_LOCAL_MACHINESOFTWAREMicrosoftCurrentVersionPoliciesSystem registry key.  If necessary, the threat\r\nwill set this value to ‘1’. \r\nhttps://www.sentinelone.com/blog/how-medusalocker-ransomware-aggressively-targets-remote-hosts/\r\nPage 1 of 7\n\nThis ensures that mapped network drives are accessible to the threat for encryption and/or spreading. \r\nAs part of this process, the malware goes as far as to restart the LanmanWorkstation service. This service is responsible for\r\ncreating and maintaining client network connections to remote servers over the SMB protocol. If this service is stopped,\r\nthese connections become unavailable. If this service is disabled, other services that depend on it will fail to start. By\r\nrestarting the Workstation service, MedusaLocker forces any related configuration changes into effect.\r\nMedusaLocker Bypasses Legacy Security Products\r\nFrom there, the threat will attempt to terminate the processes of multiple security products. The malware targets a few dozen\r\nrunning executables, including those belonging to G Data, Qihoo 360 and Symantec security products. In addition,\r\nMedusaLocker kills off more generic products including MS SQL, Apache Tomcat, and VMware – commonly used by\r\nmalware researchers to conduct analysis and reverse engineering. \r\nMedusaLocker also attempts to terminate several processes belonging to accounting software package Intuit QuickBooks.\r\nThis ensures that any open files containing valuable financial data are not locked from modification by the software, which\r\nwould prevent the ransomware from encrypting them. \r\nThe full list of targeted executables is as follows:\r\nhttps://www.sentinelone.com/blog/how-medusalocker-ransomware-aggressively-targets-remote-hosts/\r\nPage 2 of 7\n\nHow MedusaLocker Ransomware Encrypts Victim’s Files\r\nEncryption is achieved using AES 256, and said AES key is subsequently encrypted via an RSA-2048 public key. The public\r\nkey is embedded in the malicious executable itself. The samples we have analyzed all utilize the .encrypted extension for\r\nfiles that have been encrypted.\r\nWhile many ransomware strains focus on particular file extensions to target, one of MedusaLocker’s distinctive features is\r\nthat it takes the opposite approach, effectively whitelisting some hard-coded file extensions during the encryption process.\r\nThe ransomware will ignore files with the .encrypted extension, for example, so as to avoid files which have already been\r\nencrypted. This is required as the malware sets itself to run at repeated intervals, checking for new items to encrypt (more on\r\nthat further down).  \r\nhttps://www.sentinelone.com/blog/how-medusalocker-ransomware-aggressively-targets-remote-hosts/\r\nPage 3 of 7\n\nThere are examples of other extensions being used, and these are also accommodated for in the list of exclusions. In addition\r\nto .encrypted , MedusaLocker will also use and avoid the following extensions:\r\n.newlock\r\n.skynet\r\n.nlocker\r\n.bomber\r\n.breakingbad\r\n.locker16\r\nAfter the initial execution, the threat will sleep for a hard-coded interval of 60 seconds. It will then repeat its processes to\r\nattempt to find further files to encrypt. In addition, the threat creates a scheduled task to ensure persistence, which runs at 15\r\nor 30-minute intervals (the task intervals can vary across different samples).  \r\nThe ability to skip over already-encrypted files (by checking extension) makes this process more efficient. MedusaLocker\r\nalso avoids encryption of select ‘critical’ file types and drive locations. These include:\r\nhttps://www.sentinelone.com/blog/how-medusalocker-ransomware-aggressively-targets-remote-hosts/\r\nPage 4 of 7\n\nHow Much Does MedusaLocker Ransomware Cost?\r\nOnce the primary encryption process is complete, MedusaLocker will deposit a HOW_TO_RECOVER_DATA.html file in every\r\nfolder that contains encrypted files. The ransomware note contains no information about how much the victim’s will have to\r\npay. This indicates that the criminals will apply variable pricing depending on their assessment of the victim’s financial\r\nmeans. This is a model that we’ve seen used by other ransomware strains, such as with Matrix ransomware. \r\nVictims are required to reach out via email to purchase a decryptor in the hope that they can restore their files. That is, rather\r\nthan trying to navigate to a .onion   TOR-based payment portal, the victims have to blindly message their attacker and\r\nawait a reply on instructions for how to get the information they need to recover their data. \r\nAs of this writing, we are not aware of any public decryptor for MedusaLocker. \r\nMedusaLocker is also quite aggressive with regards to its methods of inhibiting any sort of ‘manual’ recovery (ex: Local\r\nbackups, VSS / Shadow Copies). The threat takes multiple steps to block victims from implementing standard recovery\r\nsteps. These include deletion of Shadow Copies, deletion of local backups (via wbadmin ) as well as disabling startup\r\nrecovery options (via bcdedit ).\r\nhttps://www.sentinelone.com/blog/how-medusalocker-ransomware-aggressively-targets-remote-hosts/\r\nPage 5 of 7\n\nHow To Protect Against MedusaLocker Ransomware?\r\nMedusaLocker has been specifically coded to ensure the maximum amount of data is captured, both locally and remotely,\r\nand to prevent victims from taking any steps towards recovery other than by paying the ransom. \r\nSentinelOne customers are fully protected from malware payloads associated with MedusaLocker ransomware, as\r\ndemonstrated in the video below.\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nConclusion\r\nMedusaLocker is another daily reminder that Ransomware is still a serious concern for all environments large or small.\r\nPerhaps in light of some victims choosing not to pay and to look for alternative means of recovery, threat actors are\r\nbecoming increasingly aggressive.\r\nAs always, ensure that you have fully tested and drilled Business Continuity and Disaster Recovery (BCP/DRP) plans and\r\nprocedures in place, in addition to leveraging a modern and capable endpoint security solution. SentinelOne prevents\r\nmalware payloads such as MedusaLocker, Ryuk and others from wreaking havoc on target systems, as well as being able to\r\nunencrypt all files by rolling back infected systems to a healthful state. \r\nMedusaLocker IOCs\r\nMedusaLocker Samples\r\ndde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95\r\nhttps://www.sentinelone.com/blog/how-medusalocker-ransomware-aggressively-targets-remote-hosts/\r\nPage 6 of 7\n\n0432b4ad0f978dd765ac366f768108b78624dab8704e119181a746115c2bef75\r\nd6223b02155d8a84bf1b31ed463092a8d0e3e3cdb5d15a72b5638e69b67c05b7\r\nf31b9f121c6c4fadaa44b804ec2a891c71b20439d043ea789b77873fa3ab0abb\r\ndb11260b9eff22f397c4eb6e2f50d02545dbb7440046c6f12dbc68e0f32d57ce\r\nMITRE ATT\u0026CK TTPs\r\nT1486 Data Encrypted for Impact\r\nT1105 Remote File Copy\r\nT1018 Remote System Discovery\r\nT1112 Modify Registry\r\nT1053 Scheduled Task\r\nT1063 Security Software Discovery\r\nSource: https://www.sentinelone.com/blog/how-medusalocker-ransomware-aggressively-targets-remote-hosts/\r\nhttps://www.sentinelone.com/blog/how-medusalocker-ransomware-aggressively-targets-remote-hosts/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.sentinelone.com/blog/how-medusalocker-ransomware-aggressively-targets-remote-hosts/"
	],
	"report_names": [
		"how-medusalocker-ransomware-aggressively-targets-remote-hosts"
	],
	"threat_actors": [],
	"ts_created_at": 1775434028,
	"ts_updated_at": 1775791224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b1efa59de1f025a0f1df548b5d5af41dccda2d48.pdf",
		"text": "https://archive.orkl.eu/b1efa59de1f025a0f1df548b5d5af41dccda2d48.txt",
		"img": "https://archive.orkl.eu/b1efa59de1f025a0f1df548b5d5af41dccda2d48.jpg"
	}
}