MedusaLocker (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.medusalocker (Back to overview)

MedusaLocker

aka: AKO Ransomware, AKO Doxware, MedusaReborn

VTCollection

A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids executable files, probably to avoid rendering the targeted system unusable for paying the ransom. It uses a combination of AES and RSA-2048, and reportedly appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.

References

2024-09-18 ⋅ loginsoft ⋅ T B L N Shashank Mannar
Medusa Ransomware: Evolving Tactics in Modern Cyber Extortion
MedusaLocker

2023-11-13 ⋅ Medium shaddy43 ⋅ Shayan Ahmed Khan
Decrypting the Mystery of MedusaLocker
MedusaLocker

2023-04-19 ⋅ Bleeping Computer ⋅ Bill Toulas
March 2023 broke ransomware attack records with 459 incidents
Clop WhiteRabbit BianLian Black Basta BlackCat LockBit MedusaLocker PLAY Royal Ransom

2023-03-15 ⋅ Cybleinc ⋅ Cyble
Unmasking MedusaLocker Ransomware
MedusaLocker

2023-03-08 ⋅ AhnLab ⋅ ASEC
GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP
GlobeImposter MedusaLocker

2022-09-30 ⋅ Cloudsek ⋅ Anandeshwar Unnikrishnan
Technical Analysis of MedusaLocker Ransomware
MedusaLocker

2022-08-08 ⋅ Medium CSIS Techblog ⋅ Benoît Ancel
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader

2022-07-01 ⋅ CISA ⋅ CISA, Department of the Treasury (Treasury), FBI, FINCEN
Alert (AA22-181A): #StopRansomware: MedusaLocker
MedusaLocker

2022-06-30 ⋅ CISA ⋅ CISA, Department of the Treasury (Treasury), FBI, FINCEN
CSA (AA22-181A): #StopRansomware: MedusaLocker
MedusaLocker

2022-01-19 ⋅ Mandiant ⋅ Adrian Sanchez Hernandez, Ervin James Ocampo, Paul Tarter
One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX

2021-05-10 ⋅ DarkTracer ⋅ DarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX

2021-02-23 ⋅ CrowdStrike ⋅ CrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER

2020-12-10 ⋅ US-CERT ⋅ FBI, MS-ISAC, US-CERT
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus

2020-11-19 ⋅ Cybereason ⋅ Assaf Dahan, Tom Fakterman
Cybereason vs. MedusaLocker Ransomware
MedusaLocker

2020-10-06 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team
Double Trouble: Ransomware with Data Leak Extortion, Part 2
Maze MedusaLocker REvil VIKING SPIDER

2020-09-25 ⋅ CrowdStrike ⋅ The Crowdstrike Intel Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER

2020-09-24 ⋅ CrowdStrike ⋅ CrowdStrike Intelligence Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER

2020-08-25 ⋅ KELA ⋅ Victoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet

2020-08-06 ⋅ Theta ⋅ Hamish Krebs
Part 3: analysing MedusaLocker ransomware
MedusaLocker

2020-08-05 ⋅ Theta ⋅ Hamish Krebs
Part 2: Analysing MedusaLocker ransomware
MedusaLocker

2020-08-04 ⋅ Theta ⋅ Hamish Krebs
Part 1: analysing MedusaLocker ransomware
MedusaLocker

2020-06-03 ⋅ VMWare Carbon Black ⋅ Brian Baskin
Medusa Locker Ransomware
MedusaLocker

2020-04-28 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood

2020-04-23 ⋅ Cisco Talos ⋅ Amit Raut, Edmund Brumaghin
Threat Spotlight: MedusaLocker
MedusaLocker

2020-01-17 ⋅ Secureworks ⋅ Keita Yamazaki, Tamada Kiyotaka, You Nakatsuru
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware

2020-01-09 ⋅ ID Ransomware ⋅ Andrew Ivanov
Ako, MedusaReborn
MedusaLocker

2020-01-09 ⋅ Twitter (@siri_urz) ⋅ Twitter (@siri_urz)
Tweet on AKO Ransomware
MedusaLocker

2020-01-01 ⋅ Blackberry ⋅ Blackberry Research
State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP

2019-11-05 ⋅ Dissecting Malware ⋅ Marius Genheimer
Try not to stare - MedusaLocker at a glance
MedusaLocker

2019-10-15 ⋅ Andrew Ivanov
MedusaLocker Ransomware
MedusaLocker

Yara Rules

[TLP:WHITE] win_medusalocker_auto (20241030 | Detects win.medusalocker.)

rule win_medusalocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.medusalocker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b5004 52 8b00 50 8d4dd8 e8???????? 68???????? }
            // n = 7, score = 400
            //   8b5004               | mov                 edx, dword ptr [eax + 4]
            //   52                   | push                edx
            //   8b00                 | mov                 eax, dword ptr [eax]
            //   50                   | push                eax
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     
            //   68????????           |                     

        $sequence_1 = { 8b4d0c e8???????? 0fb6c0 85c0 7549 6aff 68???????? }
            // n = 7, score = 400
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   e8????????           |                     
            //   0fb6c0               | movzx               eax, al
            //   85c0                 | test                eax, eax
            //   7549                 | jne                 0x4b
            //   6aff                 | push                -1
            //   68????????           |                     

        $sequence_2 = { 8955ac 8955b0 8955b4 8d45a8 50 8d4db8 51 }
            // n = 7, score = 400
            //   8955ac               | mov                 dword ptr [ebp - 0x54], edx
            //   8955b0               | mov                 dword ptr [ebp - 0x50], edx
            //   8955b4               | mov                 dword ptr [ebp - 0x4c], edx
            //   8d45a8               | lea                 eax, [ebp - 0x58]
            //   50                   | push                eax
            //   8d4db8               | lea                 ecx, [ebp - 0x48]
            //   51                   | push                ecx

        $sequence_3 = { 8d4dd8 e8???????? 0fb708 83f95c }
            // n = 4, score = 400
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     
            //   0fb708               | movzx               ecx, word ptr [eax]
            //   83f95c               | cmp                 ecx, 0x5c

        $sequence_4 = { e8???????? 83c408 8945e0 8b55e0 8955dc }
            // n = 5, score = 400
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8b55e0               | mov                 edx, dword ptr [ebp - 0x20]
            //   8955dc               | mov                 dword ptr [ebp - 0x24], edx

        $sequence_5 = { 64a300000000 894df0 8b4df0 e8???????? c6400800 8b4df0 }
            // n = 6, score = 400
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   e8????????           |                     
            //   c6400800             | mov                 byte ptr [eax + 8], 0
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]

        $sequence_6 = { 8b4de8 83c150 e8???????? 8b4de8 e8???????? 8b4df4 64890d00000000 }
            // n = 7, score = 400
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   83c150               | add                 ecx, 0x50
            //   e8????????           |                     
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   e8????????           |                     
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx

        $sequence_7 = { e8???????? 8b4d08 83c148 51 }
            // n = 4, score = 400
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   83c148               | add                 ecx, 0x48
            //   51                   | push                ecx

        $sequence_8 = { 83ec08 8bcc 8965e0 8d4508 50 e8???????? 8b4de4 }
            // n = 7, score = 400
            //   83ec08               | sub                 esp, 8
            //   8bcc                 | mov                 ecx, esp
            //   8965e0               | mov                 dword ptr [ebp - 0x20], esp
            //   8d4508               | lea                 eax, [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]

        $sequence_9 = { 8945ec eb07 c745ec00000000 8b55ec 8955e8 c745fcffffffff 8b4de8 }
            // n = 7, score = 400
            //   8945ec               | mov                 dword ptr [ebp - 0x14], eax
            //   eb07                 | jmp                 9
            //   c745ec00000000       | mov                 dword ptr [ebp - 0x14], 0
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   8955e8               | mov                 dword ptr [ebp - 0x18], edx
            //   c745fcffffffff       | mov                 dword ptr [ebp - 4], 0xffffffff
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]

    condition:
        7 of them and filesize < 1433600
}

Download all Yara Rules

MedusaLocker Propose Change

References

Yara Rules

MedusaLocker