MedusaLocker
(Active)
Decryptor Available
No
Description
This entry is under construction. However, we have included some details below.
Ransomware Type
Crypto-Ransomware
RaaS
Country of Origin
Russia
First Seen
Threat Actors
Type
Actor
Cybergroup
Anthropoid Spider
APT
Wizard Spider
Extortion Links(17)
Medium
Link
TOR
http://gvlay6u4g53rxdi5.onion/6-iSm1B1Ehljh8HYuXGym4Xyu1WdwsR2Av-6tXiw1BImsqoLh7pd207Rl6XYoln7sId
TOR
http://gvlay6u4g53rxdi5.onion/8-gRp514hncgb1i1sjtD32hG6jTbUh1ocR-Uola2Fo30KTJvZX0otYZgTh5txmKwUNe
TOR
http://gvlay6u4g53rxdi5.onion/8-grp514hncgblilsjtd32hg6jtbyhlocr5pqjswxfgf2oragnl3pqno6fkqcimqin
TOR
http://gvlay6u4g53rxdi5. onion/8-MO0Q7O97Hgxvm1YbD7OMnimImZJXEWaG-RbH4TvdwVTGQB3X6VOUOP3lgO6YOJEOW
TOR
http://gvlay6u4g53rxdi5.onion/8-Ww5sCBhsL8eM4PeAgsfgfa9lrqa81r31-tDQRZCAUe4164X532j9Ky16IBN9StWTH
TOR
http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-bET6JbB9vEMZ7qYBPqUMCxOQExFx4iOi
TOR
http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-kB4rQXGKyxGiLyw7YDsMKSBjyfdwcyxo
TOR
http://gvlay6u4g53rxdi5.onion/21-8P4ZLCsMTPaLw9MkSlXJsNZWdHe0rxjt-DcaE9HeHywqSHvdcIwOndCS4PuWASX8g
TOR
http://gvlay6y4g53rxdi5.onion/21-8P4ZLCsMETPaLw9MkSlXJsNZWdHe0rxjt-XmBgZLWlm5ULGFCOJFuVdEymmxysofwu
TOR
http://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-uGHwkkWCoUtBbZWN50sSS4Ds8RABkrKy
TOR
http://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-Tj3PRnQlpHc9OftRVDGAWUulvE80yZbc
TOR
http://gvlay6u4g53rxdi5.onion/21-E6UQFCEuCn4KvtAh4TonRTpyHqFo6F6L-OWQwD1w1Td7hY7IGUUjxmHMoFSQW6blg
TOR
http://gvlay6u4g53rxdi5.onion/21-wIq5kK9gGKiTmyups1U6fABj1VnXIYRB-I5xek6PG2EbWlPC7C1rXfsqJBlWlFFfY
TOR
http://gvlay6u4g53rxdi5.onion/2l-8P4ZLCsMTPaLw9MkSlXJsNZWdHeOrxjtE9lck1MuXPYo29daQys6gomZZXUImN7Z
TOR
http://medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion/leakdata/<unique to victim>
TOR
http://qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
TOR
http://z6wkgghtoawog5noty5nxulmmt2zs7c3yvwr22v4czbffdoly2kl4uad.onion
Extortion Types
Direct Extortion
Double Extortion
Elicit Cyber Insurance
Free Data Leaks
Pseudo-Extortion
Victim Employee Communication
Website Defacing
Extortion Amounts(17)
Amount
$5,000
$10,000
$15,000
$20,000
$35,000
$40,000
$45,000
$50,000
$55,000
$60,000
$65,000
$70,000
$75,000
$80,000
$120,000
$155,000
$160,000
Communication(84)
Medium
Identifier
Email
Email
Email
Email
Email
[rescuer]@cock.li
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Email
Tox
E9CD65687463F67F64937E961DD723DC82C79CB548375AAE8AA4A0698D356C5E7E157B22E8CD
Encryption
Type
Hybrid
Files
AES-256
Key
RSA-2048
Crypto Wallets(22)
Blockchain Type
Crypto Wallet
BTC
12xd6KrWVtgHEJHKPEfXwMVWuFK4k1FCUF
BTC
14cATAzXwD7CQf35n8Ea5pKJPfhM6jEHak
BTC
14oH2h12LvQ7BYBufcrY5vfKoCq2hTPoev
BTC
14oxnsSc1LZ5M2cPZeQ9rFnXqEvPCnZikc
BTC
184ZcAoxkvimvVZaj8jZFujC7EwR3BKWvf
BTC
18wRbb94CjyTGkUp32ZM7krCYCB9MXUq42
BTC
1AbRxRfP6yHePpi7jmDZkS4Mfpm1ZiatH5
BTC
1AereQUh8yjNPs9Wzeg1Le47dsqC8NNaNM
BTC
1BkmiGWPLum8MzusqZsq6Tn7v4oUjqPLjC
BTC
1DeNHM2eTqHp5AszTsUiS4WDHWkGc5UxHf
BTC
1DRxUFhvJjGUdojCzMWSLmwx7Qxn79XbJq
BTC
1DyMbw6R9PbJqfUSDcK5729xQ57yJrE8BC
BTC
1Edcufenw1BB4ni9UadJpQh9LVx9JGtKpP
BTC
1HEDP3c3zPwiqUaYuWZ8gBFdAQQSa6sMGw
BTC
1HdgQM9bjX7u7vWJnfErY4MWGBQJi5mVWV
BTC
1HZHhdJ6VdwBLCFhdu7kDVZN9pb3BWeUED
BTC
1PopeZ4LNLanisswLndAJB1QntTF8hpLsD
BTC
1PormUgPR72yv2FRKSVY27U4ekWMKobWjg
BTC
1nycdn9ebxht4tpspu4ehpjz9ghxlzipll
BTC
bc1q9jg45a039tn83jk2vhdpranty2y8tnpnrk9k5q
BTC
bc1qy34v0zv6wu0cugea5xjlxagsfwgunwkzc0xcjj
BTC
bc1qz3lmcw4k58n79wpzm550r5pkzxc2h8rwmmu6xm
File Extension(65)
<file name>.1btc
<file name>.AKO
<file name>.EG
<file name>.EMPg296LCK
<file name>.FartingGiraffeAttacks
<file name>.FilesEncrypted
<file name>.NET1
<file name>.NZ
<file name>.ReadInstructions
<file name>.ReadTheInstructions
<file name>.Readinstruction
<file name>.VinDizelPux
<file name>.abstergo
<file name>.bec
<file name>.bomber
<file name>.boroff
<file name>.breakingbad
<file name>.cn
<file name>.datalock
<file name>.deadfiles
<file name>.deadfilesgr
<file name>.deadnet26
<file name>.decrypme
<file name>.encrypted
<file name>.faratak
<file name>.fileslock
<file name>.fileslocked
<file name>.himynameisransom
<file name>.itlock20
<file name>.jpz.nz
<file name>.key1
<file name>.lock
<file name>.lockdata7
<file name>.locker16
<file name>.lockfiles
<file name>.lockfilesCO
<file name>.lockfilesKR
<file name>.lockfilesUS
<file name>.lr
<file name>.marlock01
<file name>.marlock02
<file name>.marlock6
<file name>.marlock08
<file name>.marlock011
<file name>.marlock11
<file name>.marlock13
<file name>.marlock25
<file name>.matlock20
<file name>.mylock
<file name>.networkmaze
<file name>.newlock
<file name>.newware
<file name>.nexe
<file name>.nlocker
<file name>.nt_lock20
<file name>.perfection
<file name>.readtheinstructions
<file name>.rs
<file name>.skynet
<file name>.stopflies
<file name>.support
<file name>.tyco
<file name>.READINSTRUCTIONS
<file name>.uslockhh
<file name>.zoomzoom
Ransom Note Name(15)
! _HOW_RECOVERY_FILES _!. HTML
!!!HOW_TO_DECRYPT!!!
HOW_TO_BACK_FILES.html
HOW_TO_OPEN_FILES.html
HOW_TO_RECOVER_DATA.html
How_to_recovery.txt
READINSTRUCTION.html
Recovery_Instructions.html
how_to_ recover_data.html
how_to_recover_data.html.marlock01
instructions.html
readinstructions.html
readme_to_recover_files
recovery_instruction.html
recovery_instructions.html
Ransom Note Image
Samples (SHA-256)
6c77cb165c448b2749b7e2afa9ac67640a9d8e0d96cc821c08adcea07759090b
af768da08a34ddf503522186a22e65e623491e48754356210cc6798598f85266
Known Victims(36)
| Industry Sector | Country | Extortion Date | Amount (USD) |
|---|---|---|---|
| Media & Marketing | Australia | ||
| Hospitality | United Arab Emirates | ||
| Construction & Architecture | United States | $15,000 | |
| Aerospace & Aviation | Canada | $50,000 | |
| Manufacturing | Italy | $10,000 | |
| Hospitality | Slovakia | $35,000 | |
| Banking & Finance | Philippines | $70,000 | |
| Professional Services | Germany | $35,000 | |
| Legal | United States | $55,000 | |
| Information Technology | United States | $5,000 | |
| Professional Services | United States | $55,000 | |
| Professional Services | United States | $35,000 | |
| Legal | United Kingdom | $75,000 | |
| Professional Services | United States | $45,000 | |
| Hospitality | United States | $65,000 | |
| Education | Netherlands | $55,000 | |
| Insurance | United Arab Emirates | $155,000 | |
| Distribution & Logistics | United States | $160,000 | |
| Manufacturing | United Kingdom | $160,000 | |
| Legal | United States | $160,000 | |
| Information Technology | Ireland | $120,000 | |
| Manufacturing | United States | ||
| Professional Services | United States | $80,000 | |
| Construction & Architecture | United States | $80,000 | |
| Education | France | $40,000 | |
| Healthcare & Medicine | United States | $60,000 | |
| Aerospace & Aviation | United States | $160,000 | |
| Distribution & Logistics | Hungary | $50,000 | |
| Fashion & Textiles | Switzerland | $20,000 | |
| Professional Services | Germany | $80,000 | |
| Electronics | Belgium | $80,000 | |
| Construction & Architecture | United States | $35,000 | |
| Construction & Architecture | Canada | $35,000 | |
| Real Estate & Housing | United States | $55,000 | |
| Education | United States | $35,000 | |
| Chemical | Netherlands | $35,000 |
References & Publications(31)
BleepingComputer: MedusaLocker Ransomware Wants Its Share of Your Money
BleepingComputer Forums: Far Attack/IThelp02 Ransomware
Cybereason: Cybereason vs. MedusaLocker Ransomware
Dashboard Ransomware Monitor: MedusaLocker
f0wL's Dissecting Malwa.re: Try not to stare - MedusaLocker at a glance
Gridinsoft: MedusaLocker Ransomware - What is it?
Hatching Triage: MedusaLocker
MalwareBazaar: MedusaLocker
PCrisk: AKO
PCrisk: FilesEncrypted
PCrisk: Itlock
PCrisk: MedusaLocker
Picus Security: MedusaLocker Ransomware Analysis, Simulation, and Mitigation
Cisco Talos: Threat Spotlight: MedusaLocker
The Crypto-Ransomware Digest: MedusaLocker
The Record from Recorded Future News: Researcher finds Russia-based ransomware network with foothold in U.S.
Trend Micro: Solutions and Protections against Medusa Ransomware
U.S. Department of Health and Human Services: MedusaLocker Ransomware
vx-underground: MedusaLocker Samples