Credential Theft
- Invoke-TheHash
- Mimikatz
MedusaLocker is a Windows ransomware family associated with financially motivated intrusion activity and repeated attacks against organizations in multiple sectors and countries.
Profile source: Mallory opens in a new tabMedusaLocker
MedusaLocker is a Windows ransomware family associated with financially motivated intrusion activity and repeated attacks against organizations in multiple sectors and countries. It is distinct from the separate Medusa ransomware operation despite frequent naming confusion in reporting.
MedusaLocker encrypts files on local systems and also attempts to impact mapped network drives, shared network resources, and removable media. Analyses of representative samples indicate it uses Windows cryptographic APIs to generate per-file encryption material, with file data encrypted using symmetric cryptography and the symmetric key protected with an embedded RSA public key. The malware commonly skips selected system-critical file types, repeatedly rescans for newly created unencrypted files, and drops an HTML ransom note in affected directories.
The family includes anti-recovery and defense-impairment behavior. Observed variants delete shadow copies and restore points, disable startup recovery, and terminate processes associated with security products and enterprise applications. Persistence has been observed through self-copying under deceptive system-like names and autorun configuration. Some intrusions linked to MedusaLocker also involved UAC bypass tradecraft and the use of administrative or offensive tooling such as credential-dumping utilities, remote execution frameworks, and network discovery tools.
Operational reporting ties MedusaLocker intrusions to opportunistic enterprise compromise, especially exposed or abused remote access. Documented cases include RDP-based access using valid credentials, pass-the-hash lateral movement, and pre-encryption disabling of endpoint protections across servers and workstations. Multiple investigations also associate MedusaLocker incidents with AV/EDR-killer tooling, including bring-your-own-vulnerable-driver techniques and packed defense-evasion payloads delivered before ransomware execution.
MedusaLocker has been observed in attacks against public-sector, telecommunications, manufacturing, business-services, and consumer-services organizations. The family is also frequently cited as a code base or lineage source for newer ransomware strains, reflecting its continued relevance in the broader ransomware ecosystem.
Ransomware.live
Ransomware.live
dc4840a0992b218cbedd5a7ac5c711cb98f1f9e78a8ffdea37c694061dfd34c648046fb0e566f5a2d184f84b76d6cadc458762556daed0ae4a3a1200afbefb54c0c726a23111c220d022fcd01a85f9788249e42baece03f83b6059170453b801012657c4548d9c98223caa4cc7aa52fc083d6983d42fde16ca3271412e7fe3fe8edbb1944d94ff91ee917c31590b6d1d5690a52fc153e44355ee9749aa0f4625364f1b7466d8e4c9f55294ecf1f874c763bcf980c59b0250c613ac366def6aca5d5d639fdfbf632bb7d9f1bb28731217d09d36078ab5e594baf2a5a41267a5d233a8024395c56fab4564b9baef1645e505e00b0b36bff6fad3aedb666022599ab8c994e3ed7dcc9080916119ddc315533c129479f508676d7544b82b2e24745f63eb3d2886d9cb880c9b0d54b94f3e149b3b5b6215a33a0ef63588a09dcd4499E9CD65687463F67F64937E961DD723DC82C79CB548375AAE8AA4A0698D356C5E7E157B22E8CDRansomware.live
Reported operators
"...web server exploitation campaigns in 2020 that primarily delivered MedusaLocker ransomware."
Exploited software
MITRE ATT&CK
Reporting
It is NOT the same as MedusaLocker (a separate, older ransomware family)...
Mairie Thiverval Grignon — an organization based in FR — has fallen victim to a ransomware attack conducted by the group medusalocker.
FunkeScheid — an organization based in DE — has fallen victim to a ransomware attack conducted by the group medusalocker.
T Online — an organization based in DE — has fallen victim to a ransomware attack conducted by the group medusalocker.
Dadolighting — an organization based in US — has fallen victim to a ransomware attack conducted by the group medusalocker.
Sgs Gmbh — an organization based in DE — has fallen victim to a ransomware attack conducted by the group medusalocker.
Karneslegal — an organization based in US — has fallen victim to a ransomware attack conducted by the group medusalocker.
Estrela — an organization based in BR — has fallen victim to a ransomware attack conducted by the group medusalocker.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.