MedusaLocker ransomware was first detected in September 2019 and has since infected and encrypted systems across multiple sectors, with primary targeting the healthcare sector.
The MedusaLocker actors predominantly rely on vulnerabilities in remote services to access victims’ networks. The actors use services such as RDP, PsExec, and SMB to infect other hosts in the victim’s network.
SalvageData experts recommend proactive data security measures, such as regular backups, strong cybersecurity practices, and keeping software up to date, to protect against ransomware attacks. And, in case of a ransomware attack, contact our ransomware recovery experts immediately.
MedusaLocker is a ransomware that has been known to target multiple organizations, especially healthcare and pharmaceutical companies. It operates as a Ransomware-as-a-Service (RaaS) model based on the observed split of ransom payments.
While it shares a similar name, there is no clear evidence that MedusaLocker has any connection with the Medusa ransomware.
Confirmed Name
Threat Type
Is There a Free Decryptor Available?
No, there’s no public decryptor for MedusaLocker ransomware.
Distribution methods
Consequences
The ransom note is placed into every folder and outlines how to communicate with the attackers and pay the ransom in Bitcoin. It also warns victims against renaming, modifying, or attempting to decrypt the encrypted files by using third-party decryptors, stating that it would permanently corrupt them, and advises against modifying or renaming the encrypted files.
If you realize you’re a ransomware victim, contacting SalvageData ransomware removal experts provides you with a secure data recovery service and ransomware removal after an attack.
MedusaLocker ransomware uses various techniques to spread and infect other hosts in the victim’s network.
Once MedusaLocker ransomware gains access to a network, it follows the typical ransomware attack lifecycle and blocks victims from accessing their data. It encrypts the victim’s data by using a combination of AES and RSA-2048.
MedusaLocker will further establish persistence by deleting local backups, disabling start-up recovery, and ultimately placing a ransom note into every folder containing a file with the compromised host’s encrypted data.
Do not comply with the ransom demand! Contact local authorities and a ransomware removal service to restore your files and remove any potential threat.
IOC stands for “Indicator of Compromise” in the context of cybersecurity. It is a forensic term that refers to the evidence on a device that points out a security breach. Although the data of IOC is gathered after a suspicious incident, security event, or unexpected call-outs from the network, it is a good cybersecurity practice to check IOC data regularly to detect unusual activities and vulnerabilities.
IOC includes file extensions, IP addresses, file hashes, email addresses, payment wallets, and ransom note file names. Since MedusaLocker is RaaS, its IOCs will vary according to the variant and the cybercriminal gang operating it.
CISA’s MedusaLocker advisory also includes the following IOCs:
Known ransom note file names:
Known encrypted file extensions:
The first step to recovering from a MedusaLocker attack is to isolate the infected computer by disconnecting from the internet and removing any connected device. Then, you must contact local authorities. In the case of US residents and businesses, it is the FBI and the Internet Crime Complaint Centre (IC3).
To report a ransomware attack you must gather every information you can about it, including:
However, if you prefer to contact professionals, then it’s best to leave every infected machine the way it is and ask for an emergency ransomware removal service. These professionals are equipped to quickly mitigate the damage, gather evidence, potentially reverse the encryption, and restore the system.
Restarting or shutting down the system may compromise the recovery of the system. Capturing the RAM of a live system may help get the encryption key, and catching a dropper file, i.e. file executing the malicious payload, may help reverse-engineer the encryption itself and lead to the decryption of the data or a better understanding of how it operates.
A Cyber Incident Response is the process of responding to and managing a cybersecurity incident. An Incident Response Retainer is a service agreement with a cybersecurity provider that allows organizations to get external help with cybersecurity incidents. It provides organizations with a structured form of expertise and support through a security partner, enabling them to respond quickly and effectively during a cyber incident.
An incident response retainer offers peace of mind to organizations, offering expert support before and in the aftermath of a cybersecurity incident. An incident response retainer’s specific nature and structure will vary according to the provider and the organization’s requirements. A good incident response retainer should be robust but flexible, providing proven services to enhance an organization’s long-term security posture.
If you contact your IR service provider, they can take over immediately and guide you through every step in the ransomware recovery. However, if you decide to remove the ransomware yourself and recover the files with your IT team, then you can follow the next steps.
You can identify which ransomware infected your machine by the file extension (some ransomware uses the file extension as their name), using a ransomware ID tool, or it will be on the ransom note. With this information, you can look for a public decryption key.
Before recovering your data, you must guarantee that your device is ransomware-free and that the attackers can’t make a new attack through exploit kits or other vulnerabilities. A ransomware removal service can delete the ransomware, create a forensics document for investigation, eliminate vulnerabilities, and recover your data.
The importance of backup for data recovery cannot be overstated, especially in the context of various potential risks and threats to data integrity.
Backups are a critical component of a comprehensive data protection strategy. They provide a means to recover from a variety of threats, ensuring the continuity of operations and preserving valuable information. In the face of ransomware attacks, where malicious software encrypts your data and demands payment for its release, having a backup allows you to restore your information without succumbing to the attacker’s demands.
Make sure to regularly test and update your backup procedures to enhance their effectiveness in safeguarding against potential data loss scenarios. There are several ways to make a backup, so you must choose the right backup medium and have at least one copy of your data stored offsite and offline.
If you don’t have a backup or need help removing the malware and eliminating vulnerabilities, contact a data recovery service. Paying the ransom does not guarantee your data will be returned to you. The only guaranteed way you can restore every file is if you have a backup. If you don’t, ransomware data recovery services can help you decrypt and recover the files.
SalvageData experts can safely restore your files and prevent MedusaLocker ransomware from attacking your network again, contact our recovery experts 24/7.
What NOT to do after a ransomware attack
You must not delete the ransomware, and keep every evidence of the attack. That’s important for digital forensics so experts can trace back to the hacker group and identify them. It is by using the data on your infected system that authorities can investigate the attack and find the responsible. A cyber attack investigation is not different from any other criminal investigation: it needs evidence to find the attackers.
Preventing ransomware is the best solution for data security since it is easier and cheaper than recovering from attacks. MedusaLocker ransomware can cost your business’s future and even close its doors.
By taking these proactive measures, individuals and organizations can reduce the risk of a MedusaLocker ransomware attack and protect their data from being encrypted and held for ransom.
These are a few tips to ensure you can avoid ransomware attacks:
In a recent data recovery service case, the SalvageData recovery team achieved a remarkable feat…
A corrupted database on PS4 occurs when the system's organized data collection becomes damaged or…
Encountering a black or blank screen on your Windows computer can be frustrating and alarming.…
LockBit ransomware has emerged as one of the most dangerous and prolific cyber threats in…
Recovery mode is a crucial feature for troubleshooting and restoring an iPad when it encounters…
Whether you’re a professional juggling important work documents or an individual cherishing irreplaceable memories, safeguarding…