Skip to content
Ransomware group Windows

MedusaLocker

MedusaLocker is a Windows ransomware family associated with financially motivated intrusion activity and repeated attacks against organizations in multiple sectors and countries.

Profile source: Mallory opens in a new tab

MedusaLocker

Family profile

MedusaLocker is a Windows ransomware family associated with financially motivated intrusion activity and repeated attacks against organizations in multiple sectors and countries. It is distinct from the separate Medusa ransomware operation despite frequent naming confusion in reporting.

MedusaLocker encrypts files on local systems and also attempts to impact mapped network drives, shared network resources, and removable media. Analyses of representative samples indicate it uses Windows cryptographic APIs to generate per-file encryption material, with file data encrypted using symmetric cryptography and the symmetric key protected with an embedded RSA public key. The malware commonly skips selected system-critical file types, repeatedly rescans for newly created unencrypted files, and drops an HTML ransom note in affected directories.

The family includes anti-recovery and defense-impairment behavior. Observed variants delete shadow copies and restore points, disable startup recovery, and terminate processes associated with security products and enterprise applications. Persistence has been observed through self-copying under deceptive system-like names and autorun configuration. Some intrusions linked to MedusaLocker also involved UAC bypass tradecraft and the use of administrative or offensive tooling such as credential-dumping utilities, remote execution frameworks, and network discovery tools.

Operational reporting ties MedusaLocker intrusions to opportunistic enterprise compromise, especially exposed or abused remote access. Documented cases include RDP-based access using valid credentials, pass-the-hash lateral movement, and pre-encryption disabling of endpoint protections across servers and workstations. Multiple investigations also associate MedusaLocker incidents with AV/EDR-killer tooling, including bring-your-own-vulnerable-driver techniques and packed defense-evasion payloads delivered before ransomware execution.

MedusaLocker has been observed in attacks against public-sector, telecommunications, manufacturing, business-services, and consumer-services organizations. The family is also frequently cited as a code base or lineage source for newer ransomware strains, reflecting its continued relevance in the broader ransomware ecosystem.

Capabilities

  • Byovd
  • Credential Theft
  • Defense Evasion
  • Exfiltration
  • Lateral Movement
  • Persistence
  • Post Exploitation
  • Privilege Escalation

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • Invoke-TheHash
  • Mimikatz

Defense Evasion

  • HRSword
  • PCHunter
  • ProcessHacker

Discovery Enum

  • Advanced IP Scanner
  • Advanced Port Scanner
  • SoftPerfect NetScan

LOLBAS

  • PsExec

Offsec

  • Impacket

RMM Tools

  • Remote Desktop Plus (RDP+)

Ransomware.live

Published indicators

Full source record ↗

Sha256

19 total
  • dc4840a0992b218cbedd5a7ac5c711cb98f1f9e78a8ffdea37c694061dfd34c6
  • 48046fb0e566f5a2d184f84b76d6cadc458762556daed0ae4a3a1200afbefb54
  • c0c726a23111c220d022fcd01a85f9788249e42baece03f83b6059170453b801
  • 012657c4548d9c98223caa4cc7aa52fc083d6983d42fde16ca3271412e7fe3fe
  • 8edbb1944d94ff91ee917c31590b6d1d5690a52fc153e44355ee9749aa0f4625
  • 364f1b7466d8e4c9f55294ecf1f874c763bcf980c59b0250c613ac366def6aca
  • 5d5d639fdfbf632bb7d9f1bb28731217d09d36078ab5e594baf2a5a41267a5d2
  • 33a8024395c56fab4564b9baef1645e505e00b0b36bff6fad3aedb666022599a
  • b8c994e3ed7dcc9080916119ddc315533c129479f508676d7544b82b2e24745f
  • 63eb3d2886d9cb880c9b0d54b94f3e149b3b5b6215a33a0ef63588a09dcd4499

Tox

1 total
  • E9CD65687463F67F64937E961DD723DC82C79CB548375AAE8AA4A0698D356C5E7E157B22E8CD

Ransomware.live

Recent claims

All published claims ↗

Reported operators

Threat actors

1 named in public reporting
ANTHROPOID SPIDER

"...web server exploitation campaigns in 2020 that primarily delivered MedusaLocker ransomware."

Exploited software

Vulnerabilities linked to MedusaLocker

2 CVEs

MITRE ATT&CK

MedusaLocker in ATT&CK

26 distinct techniques

Reporting

Research mentioning MedusaLocker

Jul 15
Alpha Cyber

Medusa Ransomware: The RaaS That Blinds Your EDR Before It Encrypts - Alpha Cyber

It is NOT the same as MedusaLocker (a separate, older ransomware family)...

Jul 1
Hookphish

Ransomware Group medusalocker Hits: Mairie Thiverval Grignon

Mairie Thiverval Grignon — an organization based in FR — has fallen victim to a ransomware attack conducted by the group medusalocker.

Jul 1
Hookphish

Ransomware Group medusalocker Hits: FunkeScheid

FunkeScheid — an organization based in DE — has fallen victim to a ransomware attack conducted by the group medusalocker.

Jul 1
Hookphish

Ransomware Group medusalocker Hits: T Online

T Online — an organization based in DE — has fallen victim to a ransomware attack conducted by the group medusalocker.

Jul 1
Hookphish

Ransomware Group medusalocker Hits: Dadolighting

Dadolighting — an organization based in US — has fallen victim to a ransomware attack conducted by the group medusalocker.

Jul 1
Hookphish

Ransomware Group medusalocker Hits: Sgs Gmbh

Sgs Gmbh — an organization based in DE — has fallen victim to a ransomware attack conducted by the group medusalocker.

Jul 1
Hookphish

Ransomware Group medusalocker Hits: Karneslegal

Karneslegal — an organization based in US — has fallen victim to a ransomware attack conducted by the group medusalocker.

Jul 1
Hookphish

Ransomware Group medusalocker Hits: Estrela

Estrela — an organization based in BR — has fallen victim to a ransomware attack conducted by the group medusalocker.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.