SYMBOLCOMMON_NAMEaka. SYNONYMS
win.medusalocker (Back to overview)

MedusaLocker

aka: AKO Ransomware, AKO Doxware, MedusaReborn

A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids executable files, probably to avoid rendering the targeted system unusable for paying the ransom. It uses a combination of AES and RSA-2048, and reportedly appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.

References
2022-09-30CloudsekAnandeshwar Unnikrishnan
@online{unnikrishnan:20220930:technical:a372efd, author = {Anandeshwar Unnikrishnan}, title = {{Technical Analysis of MedusaLocker Ransomware}}, date = {2022-09-30}, organization = {Cloudsek}, url = {https://cloudsek.com/technical-analysis-of-medusalocker-ransomware/}, language = {English}, urldate = {2022-10-24} } Technical Analysis of MedusaLocker Ransomware
MedusaLocker
2022-08-08Medium CSIS TechblogBenoît Ancel
@online{ancel:20220808:inside:67ef9a0, author = {Benoît Ancel}, title = {{An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure}}, date = {2022-08-08}, organization = {Medium CSIS Techblog}, url = {https://medium.com/csis-techblog/inside-view-of-brazzzersff-infrastructure-89b9188fd145}, language = {English}, urldate = {2022-08-28} } An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-07-01CISACISA, FBI, Department of the Treasury (Treasury), FINCEN
@online{cisa:20220701:alert:12e80c1, author = {CISA and FBI and Department of the Treasury (Treasury) and FINCEN}, title = {{Alert (AA22-181A): #StopRansomware: MedusaLocker}}, date = {2022-07-01}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-181a}, language = {English}, urldate = {2022-07-05} } Alert (AA22-181A): #StopRansomware: MedusaLocker
MedusaLocker
2022-06-30CISACISA, FBI, Department of the Treasury (Treasury), FINCEN
@techreport{cisa:20220630:csa:59d0928, author = {CISA and FBI and Department of the Treasury (Treasury) and FINCEN}, title = {{CSA (AA22-181A): #StopRansomware: MedusaLocker}}, date = {2022-06-30}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-181A_stopransomware_medusalocker.pdf}, language = {English}, urldate = {2022-07-05} } CSA (AA22-181A): #StopRansomware: MedusaLocker
MedusaLocker
2022-01-19MandiantAdrian Sanchez Hernandez, Paul Tarter, Ervin James Ocampo
@online{hernandez:20220119:one:b4b3bf7, author = {Adrian Sanchez Hernandez and Paul Tarter and Ervin James Ocampo}, title = {{One Source to Rule Them All: Chasing AVADDON Ransomware}}, date = {2022-01-19}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/chasing-avaddon-ransomware}, language = {English}, urldate = {2022-01-24} } One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX
2021-05-10DarkTracerDarkTracer
@online{darktracer:20210510:intelligence:b9d1c3f, author = {DarkTracer}, title = {{Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb}}, date = {2021-05-10}, organization = {DarkTracer}, url = {https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3}, language = {English}, urldate = {2021-05-13} } Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-02-23CrowdStrikeCrowdStrike
@techreport{crowdstrike:20210223:2021:bf5bc4f, author = {CrowdStrike}, title = {{2021 Global Threat Report}}, date = {2021-02-23}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf}, language = {English}, urldate = {2021-02-25} } 2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader KNOCKOUT SPIDER OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-12-10US-CERTUS-CERT, FBI, MS-ISAC
@online{uscert:20201210:alert:a5ec77e, author = {US-CERT and FBI and MS-ISAC}, title = {{Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data}}, date = {2020-12-10}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-345a}, language = {English}, urldate = {2020-12-11} } Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-11-19CybereasonTom Fakterman, Assaf Dahan
@online{fakterman:20201119:cybereason:da3ab54, author = {Tom Fakterman and Assaf Dahan}, title = {{Cybereason vs. MedusaLocker Ransomware}}, date = {2020-11-19}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/medusalocker-ransomware}, language = {English}, urldate = {2020-11-23} } Cybereason vs. MedusaLocker Ransomware
MedusaLocker
2020-10-06CrowdStrikeThe Crowdstrike Intel Team
@online{team:20201006:double:bb0f240, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 2}}, date = {2020-10-06}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/}, language = {English}, urldate = {2020-10-12} } Double Trouble: Ransomware with Data Leak Extortion, Part 2
Maze MedusaLocker REvil VIKING SPIDER
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
@online{team:20200925:double:fe3b093, author = {The Crowdstrike Intel Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-25}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/}, language = {English}, urldate = {2020-10-02} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-09-24CrowdStrikeCrowdStrike Intelligence Team
@online{team:20200924:double:3b3ade6, author = {CrowdStrike Intelligence Team}, title = {{Double Trouble: Ransomware with Data Leak Extortion, Part 1}}, date = {2020-09-24}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1}, language = {English}, urldate = {2021-05-31} } Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER
2020-08-25KELAVictoria Kivilevich
@online{kivilevich:20200825:how:5db6a82, author = {Victoria Kivilevich}, title = {{How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing}}, date = {2020-08-25}, organization = {KELA}, url = {https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/}, language = {English}, urldate = {2021-05-07} } How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-08-06ThetaHamish Krebs
@online{krebs:20200806:part:c8d7eeb, author = {Hamish Krebs}, title = {{Part 3: analysing MedusaLocker ransomware}}, date = {2020-08-06}, organization = {Theta}, url = {https://www.theta.co.nz/news-blogs/cyber-security-blog/part-3-analysing-medusalocker-ransomware/}, language = {English}, urldate = {2022-04-29} } Part 3: analysing MedusaLocker ransomware
MedusaLocker
2020-08-05ThetaHamish Krebs
@online{krebs:20200805:part:c2763da, author = {Hamish Krebs}, title = {{Part 2: Analysing MedusaLocker ransomware}}, date = {2020-08-05}, organization = {Theta}, url = {https://www.theta.co.nz/news-blogs/cyber-security-blog/part-2-analysing-medusalocker-ransomware/}, language = {English}, urldate = {2022-04-29} } Part 2: Analysing MedusaLocker ransomware
MedusaLocker
2020-08-04ThetaHamish Krebs
@online{krebs:20200804:part:4857631, author = {Hamish Krebs}, title = {{Part 1: analysing MedusaLocker ransomware}}, date = {2020-08-04}, organization = {Theta}, url = {https://www.theta.co.nz/news-blogs/cyber-security-blog/part-1-analysing-medusalocker-ransomware/}, language = {English}, urldate = {2022-04-29} } Part 1: analysing MedusaLocker ransomware
MedusaLocker
2020-06-03VMWare Carbon BlackBrian Baskin
@online{baskin:20200603:medusa:8d92754, author = {Brian Baskin}, title = {{Medusa Locker Ransomware}}, date = {2020-06-03}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/}, language = {English}, urldate = {2020-06-04} } Medusa Locker Ransomware
MedusaLocker
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200428:ransomware:3205f3a, author = {Microsoft Threat Protection Intelligence Team}, title = {{Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk}}, date = {2020-04-28}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/}, language = {English}, urldate = {2020-05-05} } Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood
2020-04-23Cisco TalosEdmund Brumaghin, Amit Raut
@online{brumaghin:20200423:threat:4f7f840, author = {Edmund Brumaghin and Amit Raut}, title = {{Threat Spotlight: MedusaLocker}}, date = {2020-04-23}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2020/04/medusalocker.html}, language = {English}, urldate = {2020-04-26} } Threat Spotlight: MedusaLocker
MedusaLocker
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020-01-09ID RansomwareAndrew Ivanov
@online{ivanov:20200109:ako:79016d7, author = {Andrew Ivanov}, title = {{Ako, MedusaReborn}}, date = {2020-01-09}, organization = {ID Ransomware}, url = {https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html}, language = {English}, urldate = {2020-05-18} } Ako, MedusaReborn
MedusaLocker
2020-01-09Twitter (@siri_urz)Twitter (@siri_urz)
@online{siriurz:20200109:ako:da2a708, author = {Twitter (@siri_urz)}, title = {{Tweet on AKO Ransomware}}, date = {2020-01-09}, organization = {Twitter (@siri_urz)}, url = {https://twitter.com/siri_urz/status/1215194488714346496?s=20}, language = {English}, urldate = {2020-05-18} } Tweet on AKO Ransomware
MedusaLocker
2020BlackberryBlackberry Research
@techreport{research:2020:state:e5941af, author = {Blackberry Research}, title = {{State of Ransomware}}, date = {2020}, institution = {Blackberry}, url = {https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf}, language = {English}, urldate = {2021-01-01} } State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP
2019-11-05Dissecting MalwareMarius Genheimer
@online{genheimer:20191105:try:3aafee6, author = {Marius Genheimer}, title = {{Try not to stare - MedusaLocker at a glance}}, date = {2019-11-05}, organization = {Dissecting Malware}, url = {https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html}, language = {English}, urldate = {2020-03-27} } Try not to stare - MedusaLocker at a glance
MedusaLocker
2019-10-15Andrew Ivanov
@online{ivanov:20191015:medusalocker:132bb68, author = {Andrew Ivanov}, title = {{MedusaLocker Ransomware}}, date = {2019-10-15}, url = {http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html}, language = {English}, urldate = {2020-01-07} } MedusaLocker Ransomware
MedusaLocker
Yara Rules
[TLP:WHITE] win_medusalocker_auto (20230125 | Detects win.medusalocker.)
rule win_medusalocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.medusalocker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 894db8 8b4db8 e8???????? c745fc00000000 8d4dd8 e8???????? }
            // n = 6, score = 400
            //   894db8               | mov                 dword ptr [ebp - 0x48], ecx
            //   8b4db8               | mov                 ecx, dword ptr [ebp - 0x48]
            //   e8????????           |                     
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     

        $sequence_1 = { 50 8b4df0 81c1a8000000 e8???????? c645fc01 8d4dd4 e8???????? }
            // n = 7, score = 400
            //   50                   | push                eax
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   81c1a8000000         | add                 ecx, 0xa8
            //   e8????????           |                     
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   e8????????           |                     

        $sequence_2 = { 50 8d4de8 e8???????? 8bc8 e8???????? eb11 6a01 }
            // n = 7, score = 400
            //   50                   | push                eax
            //   8d4de8               | lea                 ecx, [ebp - 0x18]
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   eb11                 | jmp                 0x13
            //   6a01                 | push                1

        $sequence_3 = { 8d559c 52 8d4dd8 e8???????? 8bc8 }
            // n = 5, score = 400
            //   8d559c               | lea                 edx, [ebp - 0x64]
            //   52                   | push                edx
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax

        $sequence_4 = { 8b45fc 83787800 7418 8b4dfc 51 }
            // n = 5, score = 400
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   83787800             | cmp                 dword ptr [eax + 0x78], 0
            //   7418                 | je                  0x1a
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   51                   | push                ecx

        $sequence_5 = { 83c404 50 8b5508 52 e8???????? 83c404 8bc8 }
            // n = 7, score = 400
            //   83c404               | add                 esp, 4
            //   50                   | push                eax
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8bc8                 | mov                 ecx, eax

        $sequence_6 = { eb20 8b5508 8b0a e8???????? 8b45fc 8b4d08 }
            // n = 6, score = 400
            //   eb20                 | jmp                 0x22
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b0a                 | mov                 ecx, dword ptr [edx]
            //   e8????????           |                     
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

        $sequence_7 = { 8d4508 50 e8???????? 8b4de4 e8???????? c645fc00 8d4de8 }
            // n = 7, score = 400
            //   8d4508               | lea                 eax, [ebp + 8]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   e8????????           |                     
            //   c645fc00             | mov                 byte ptr [ebp - 4], 0
            //   8d4de8               | lea                 ecx, [ebp - 0x18]

        $sequence_8 = { 894df0 6a01 8b4df0 81c1c8000000 e8???????? 8b4d08 83c108 }
            // n = 7, score = 400
            //   894df0               | mov                 dword ptr [ebp - 0x10], ecx
            //   6a01                 | push                1
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   81c1c8000000         | add                 ecx, 0xc8
            //   e8????????           |                     
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   83c108               | add                 ecx, 8

        $sequence_9 = { e8???????? 8d55d8 899550ffffff 8b8d50ffffff e8???????? 898560ffffff 8b8d50ffffff }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8d55d8               | lea                 edx, [ebp - 0x28]
            //   899550ffffff         | mov                 dword ptr [ebp - 0xb0], edx
            //   8b8d50ffffff         | mov                 ecx, dword ptr [ebp - 0xb0]
            //   e8????????           |                     
            //   898560ffffff         | mov                 dword ptr [ebp - 0xa0], eax
            //   8b8d50ffffff         | mov                 ecx, dword ptr [ebp - 0xb0]

    condition:
        7 of them and filesize < 1433600
}
Download all Yara Rules