MedusaLocker Ransomware | WatchGuard Technologies

Decryptor Available

No

Description

This entry is under construction. However, we have included some details below.

Ransomware Type

Crypto-Ransomware

RaaS

Country of Origin

Russia

First Seen

September 2019

Threat Actors

Type

Actor

Cybergroup

Anthropoid Spider

APT

Wizard Spider

Extortion Links(17)

Medium

Link

TOR

http://gvlay6u4g53rxdi5.onion/6-iSm1B1Ehljh8HYuXGym4Xyu1WdwsR2Av-6tXiw1BImsqoLh7pd207Rl6XYoln7sId

TOR

http://gvlay6u4g53rxdi5.onion/8-gRp514hncgb1i1sjtD32hG6jTbUh1ocR-Uola2Fo30KTJvZX0otYZgTh5txmKwUNe

TOR

http://gvlay6u4g53rxdi5.onion/8-grp514hncgblilsjtd32hg6jtbyhlocr5pqjswxfgf2oragnl3pqno6fkqcimqin

TOR

http://gvlay6u4g53rxdi5. onion/8-MO0Q7O97Hgxvm1YbD7OMnimImZJXEWaG-RbH4TvdwVTGQB3X6VOUOP3lgO6YOJEOW

TOR

http://gvlay6u4g53rxdi5.onion/8-Ww5sCBhsL8eM4PeAgsfgfa9lrqa81r31-tDQRZCAUe4164X532j9Ky16IBN9StWTH

TOR

http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-bET6JbB9vEMZ7qYBPqUMCxOQExFx4iOi

TOR

http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-kB4rQXGKyxGiLyw7YDsMKSBjyfdwcyxo

TOR

http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-DcaE9HeHywqSHvdcIwOndCS4PuWASX8g

TOR

http://gvlay6y4g53rxdi5.onion/21-8P4ZLCsMETPaLw9MkSlXJsNZWdHe0rxjt-XmBgZLWlm5ULGFCOJFuVdEymmxysofwu

TOR

http://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-uGHwkkWCoUtBbZWN50sSS4Ds8RABkrKy

TOR

http://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-Tj3PRnQlpHc9OftRVDGAWUulvE80yZbc

TOR

http://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-OWQwD1w1Td7hY7IGUUjxmHMoFSQW6blg

TOR

http://gvlay6u4g53rxdi5.onion/21-wIq5kK9gGKiTmyups1U6fABj1VnXIYRB-I5xek6PG2EbWlPC7C1rXfsqJBlWlFFfY

TOR

http://gvlay6u4g53rxdi5.onion/2l-8P4ZLCsMTPaLw9MkSlXJsNZWdHeOrxjtE9lck1MuXPYo29daQys6gomZZXUImN7Z

TOR

http://medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion/leakdata/<unique to victim>

TOR

http://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion

TOR

http://z6wkgghtoawog5noty5nxulmmt2zs7c3yvwr22v4czbffdoly2kl4uad.onion

Extortion Types

Direct Extortion

Double Extortion

Elicit Cyber Insurance

Free Data Leaks

Pseudo-Extortion

Victim Employee Communication

Website Defacing

Extortion Amounts(17)

Amount

$5,000

$10,000

$15,000

$20,000

$35,000

$40,000

$45,000

$50,000

$55,000

$60,000

$65,000

$70,000

$75,000

$80,000

$120,000

$155,000

$160,000

Communication(84)

Medium

Identifier

Email

Email

Email

Email

Email

[rescuer]@cock.li

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Email

Tox

E9CD65687463F67F64937E961DD723DC82C79CB548375AAE8AA4A0698D356C5E7E157B22E8CD

Encryption

Type

Hybrid

Files

AES-256

Key

RSA-2048

Crypto Wallets(22)

Blockchain Type

Crypto Wallet

BTC

12xd6KrWVtgHEJHKPEfXwMVWuFK4k1FCUF

BTC

14cATAzXwD7CQf35n8Ea5pKJPfhM6jEHak

BTC

14oH2h12LvQ7BYBufcrY5vfKoCq2hTPoev

BTC

14oxnsSc1LZ5M2cPZeQ9rFnXqEvPCnZikc

BTC

184ZcAoxkvimvVZaj8jZFujC7EwR3BKWvf

BTC

18wRbb94CjyTGkUp32ZM7krCYCB9MXUq42

BTC

1AbRxRfP6yHePpi7jmDZkS4Mfpm1ZiatH5

BTC

1AereQUh8yjNPs9Wzeg1Le47dsqC8NNaNM

BTC

1BkmiGWPLum8MzusqZsq6Tn7v4oUjqPLjC

BTC

1DeNHM2eTqHp5AszTsUiS4WDHWkGc5UxHf

BTC

1DRxUFhvJjGUdojCzMWSLmwx7Qxn79XbJq

BTC

1DyMbw6R9PbJqfUSDcK5729xQ57yJrE8BC

BTC

1Edcufenw1BB4ni9UadJpQh9LVx9JGtKpP

BTC

1HEDP3c3zPwiqUaYuWZ8gBFdAQQSa6sMGw

BTC

1HdgQM9bjX7u7vWJnfErY4MWGBQJi5mVWV

BTC

1HZHhdJ6VdwBLCFhdu7kDVZN9pb3BWeUED

BTC

1PopeZ4LNLanisswLndAJB1QntTF8hpLsD

BTC

1PormUgPR72yv2FRKSVY27U4ekWMKobWjg

BTC

1nycdn9ebxht4tpspu4ehpjz9ghxlzipll

BTC

bc1q9jg45a039tn83jk2vhdpranty2y8tnpnrk9k5q

BTC

bc1qy34v0zv6wu0cugea5xjlxagsfwgunwkzc0xcjj

BTC

bc1qz3lmcw4k58n79wpzm550r5pkzxc2h8rwmmu6xm

File Extension(65)

<file name>.1btc

<file name>.AKO

<file name>.EG

<file name>.EMPg296LCK

<file name>.FartingGiraffeAttacks

<file name>.FilesEncrypted

<file name>.NET1

<file name>.NZ

<file name>.ReadInstructions

<file name>.ReadTheInstructions

<file name>.Readinstruction

<file name>.VinDizelPux

<file name>.abstergo

<file name>.bec

<file name>.bomber

<file name>.boroff

<file name>.breakingbad

<file name>.cn

<file name>.datalock

<file name>.deadfiles

<file name>.deadfilesgr

<file name>.deadnet26

<file name>.decrypme

<file name>.encrypted

<file name>.faratak

<file name>.fileslock

<file name>.fileslocked

<file name>.himynameisransom

<file name>.itlock20

<file name>.jpz.nz

<file name>.key1

<file name>.lock

<file name>.lockdata7

<file name>.locker16

<file name>.lockfiles

<file name>.lockfilesCO

<file name>.lockfilesKR

<file name>.lockfilesUS

<file name>.lr

<file name>.marlock01

<file name>.marlock02

<file name>.marlock6

<file name>.marlock08

<file name>.marlock011

<file name>.marlock11

<file name>.marlock13

<file name>.marlock25

<file name>.matlock20

<file name>.mylock

<file name>.networkmaze

<file name>.newlock

<file name>.newware

<file name>.nexe

<file name>.nlocker

<file name>.nt_lock20

<file name>.perfection

<file name>.readtheinstructions

<file name>.rs

<file name>.skynet

<file name>.stopflies

<file name>.support

<file name>.tyco

<file name>.READINSTRUCTIONS

<file name>.uslockhh

<file name>.zoomzoom

Ransom Note Name(15)

! _HOW_RECOVERY_FILES _!. HTML

!!!HOW_TO_DECRYPT!!!

HOW_TO_BACK_FILES.html

HOW_TO_OPEN_FILES.html

HOW_TO_RECOVER_DATA.html

How_to_recovery.txt

READINSTRUCTION.html

Recovery_Instructions.html

how_to_ recover_data.html

how_to_recover_data.html.marlock01

instructions.html

readinstructions.html

readme_to_recover_files

recovery_instruction.html

recovery_instructions.html

Ransom Note Image

Click to enlarge

Click to enlarge

Click to enlarge

Samples (SHA-256)

6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b

af768da08a34ddf503522186a22e65e623491e48754356210cc6798598f85266

Known Victims(36)

Industry Sector	Country	Extortion Date	Amount (USD)
Media & Marketing	Australia	2021-03-26
Hospitality	United Arab Emirates	2021-09-01
Construction & Architecture	United States	2021-09-02	$15,000
Aerospace & Aviation	Canada	2021-09-03	$50,000
Manufacturing	Italy	2021-09-04	$10,000
Hospitality	Slovakia	2021-09-05	$35,000
Banking & Finance	Philippines	2021-09-06	$70,000
Professional Services	Germany	2021-09-07	$35,000
Legal	United States	2021-09-08	$55,000
Information Technology	United States	2021-09-09	$5,000
Professional Services	United States	2021-09-10	$55,000
Professional Services	United States	2021-09-11	$35,000
Legal	United Kingdom	2021-09-12	$75,000
Professional Services	United States	2021-09-13	$45,000
Hospitality	United States	2021-09-14	$65,000
Education	Netherlands	2021-10-01	$55,000
Insurance	United Arab Emirates	2021-11-01	$155,000
Distribution & Logistics	United States	2022-05-01	$160,000
Manufacturing	United Kingdom	2022-06-01	$160,000
Legal	United States	2022-06-02	$160,000
Information Technology	Ireland	2022-07-01	$120,000
Manufacturing	United States	2022-07-02
Professional Services	United States	2023-04-01	$80,000
Construction & Architecture	United States	2023-04-11	$80,000
Education	France	2023-06-02	$40,000
Healthcare & Medicine	United States	2023-06-14	$60,000
Aerospace & Aviation	United States	2023-06-14	$160,000
Distribution & Logistics	Hungary	2023-06-24	$50,000
Fashion & Textiles	Switzerland	2023-06-24	$20,000
Professional Services	Germany	2023-06-24	$80,000
Electronics	Belgium	2023-07-02	$80,000
Construction & Architecture	United States	2023-07-04	$35,000
Construction & Architecture	Canada	2023-08-03	$35,000
Real Estate & Housing	United States	2023-10-23	$55,000
Education	United States	2023-10-23	$35,000
Chemical	Netherlands	2023-11-29	$35,000