SYMBOLCOMMON_NAMEaka. SYNONYMS
win.medusalocker (Back to overview)

MedusaLocker

aka: AKO Ransomware, AKO Doxware, MedusaReborn
VTCollection    

A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids executable files, probably to avoid rendering the targeted system unusable for paying the ransom. It uses a combination of AES and RSA-2048, and reportedly appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.

References
2023-04-19Bleeping ComputerBill Toulas
March 2023 broke ransomware attack records with 459 incidents
Clop WhiteRabbit BianLian Black Basta BlackCat LockBit MedusaLocker PLAY Royal Ransom
2023-03-15CybleincCyble
Unmasking MedusaLocker Ransomware
MedusaLocker
2023-03-08AhnLabASEC
GlobeImposter Ransomware Being Distributed with MedusaLocker via RDP
GlobeImposter MedusaLocker
2022-09-30CloudsekAnandeshwar Unnikrishnan
Technical Analysis of MedusaLocker Ransomware
MedusaLocker
2022-08-08Medium CSIS TechblogBenoît Ancel
An inside view of domain anonymization as-a-service — the BraZZZerSFF infrastructure
Riltok magecart Anubis Azorult BetaBot Buer CoalaBot CryptBot DiamondFox DreamBot GCleaner ISFB Loki Password Stealer (PWS) MedusaLocker MeguminTrojan Nemty PsiX RedLine Stealer SmokeLoader STOP TinyNuke Vidar Zloader
2022-07-01CISACISA, Department of the Treasury (Treasury), FBI, FINCEN
Alert (AA22-181A): #StopRansomware: MedusaLocker
MedusaLocker
2022-06-30CISACISA, Department of the Treasury (Treasury), FBI, FINCEN
CSA (AA22-181A): #StopRansomware: MedusaLocker
MedusaLocker
2022-01-19MandiantAdrian Sanchez Hernandez, Ervin James Ocampo, Paul Tarter
One Source to Rule Them All: Chasing AVADDON Ransomware
BlackMatter Avaddon BlackMatter MedusaLocker SystemBC ThunderX
2021-05-10DarkTracerDarkTracer
Intelligence Report on Ransomware Gangs on the DarkWeb: List of victim organizations attacked by ransomware gangs released on the DarkWeb
RansomEXX Avaddon Babuk Clop Conti Cuba DarkSide DoppelPaymer Egregor Hades LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker Nefilim Nemty Pay2Key PwndLocker RagnarLocker Ragnarok RansomEXX REvil Sekhmet SunCrypt ThunderX
2021-02-23CrowdStrikeCrowdStrike
2021 Global Threat Report
RansomEXX Amadey Anchor Avaddon BazarBackdoor Clop Cobalt Strike Conti Cutwail DanaBot DarkSide DoppelPaymer Dridex Egregor Emotet Hakbit IcedID JSOutProx KerrDown LockBit Mailto Maze MedusaLocker Mespinoza Mount Locker NedDnLoader Nemty Pay2Key PlugX Pushdo PwndLocker PyXie QakBot Quasar RAT RagnarLocker Ragnarok RansomEXX REvil Ryuk Sekhmet ShadowPad SmokeLoader Snake SUNBURST SunCrypt TEARDROP TrickBot WastedLocker Winnti Zloader Evilnum OUTLAW SPIDER RIDDLE SPIDER SOLAR SPIDER VIKING SPIDER
2020-12-10US-CERTFBI, MS-ISAC, US-CERT
Alert (AA20-345A): Cyber Actors Target K-12 Distance Learning Education to Cause Disruptions and Steal Data
PerlBot Shlayer Agent Tesla Cerber Dridex Ghost RAT Kovter Maze MedusaLocker Nanocore RAT Nefilim REvil Ryuk Zeus
2020-11-19CybereasonAssaf Dahan, Tom Fakterman
Cybereason vs. MedusaLocker Ransomware
MedusaLocker
2020-10-06CrowdStrikeThe Crowdstrike Intel Team
Double Trouble: Ransomware with Data Leak Extortion, Part 2
Maze MedusaLocker REvil VIKING SPIDER
2020-09-25CrowdStrikeThe Crowdstrike Intel Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer FriedEx LockBit Maze MedusaLocker RagnarLocker REvil RobinHood SamSam WastedLocker MIMIC SPIDER PIZZO SPIDER TA2101 VIKING SPIDER
2020-09-24CrowdStrikeCrowdStrike Intelligence Team
Double Trouble: Ransomware with Data Leak Extortion, Part 1
DoppelPaymer Gandcrab LockBit Maze MedusaLocker RagnarLocker SamSam OUTLAW SPIDER OVERLORD SPIDER
2020-08-25KELAVictoria Kivilevich
How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing
Avaddon Clop DarkSide DoppelPaymer Mailto Maze MedusaLocker Mespinoza Nefilim RagnarLocker REvil Sekhmet
2020-08-06ThetaHamish Krebs
Part 3: analysing MedusaLocker ransomware
MedusaLocker
2020-08-05ThetaHamish Krebs
Part 2: Analysing MedusaLocker ransomware
MedusaLocker
2020-08-04ThetaHamish Krebs
Part 1: analysing MedusaLocker ransomware
MedusaLocker
2020-06-03VMWare Carbon BlackBrian Baskin
Medusa Locker Ransomware
MedusaLocker
2020-04-28MicrosoftMicrosoft Threat Protection Intelligence Team
Ransomware groups continue to target healthcare, critical services; here’s how to reduce risk
LockBit Mailto Maze MedusaLocker Paradise RagnarLocker REvil RobinHood
2020-04-23Cisco TalosAmit Raut, Edmund Brumaghin
Threat Spotlight: MedusaLocker
MedusaLocker
2020-01-17SecureworksKeita Yamazaki, Tamada Kiyotaka, You Nakatsuru
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2020-01-09ID RansomwareAndrew Ivanov
Ako, MedusaReborn
MedusaLocker
2020-01-09Twitter (@siri_urz)Twitter (@siri_urz)
Tweet on AKO Ransomware
MedusaLocker
2020-01-01BlackberryBlackberry Research
State of Ransomware
Maze MedusaLocker Nefilim Phobos REvil Ryuk STOP
2019-11-05Dissecting MalwareMarius Genheimer
Try not to stare - MedusaLocker at a glance
MedusaLocker
2019-10-15Andrew Ivanov
MedusaLocker Ransomware
MedusaLocker
Yara Rules
[TLP:WHITE] win_medusalocker_auto (20230808 | Detects win.medusalocker.)
rule win_medusalocker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.medusalocker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 8945e8 eb07 c745e800000000 8b4de8 894de4 c645fc02 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   eb07                 | jmp                 9
            //   c745e800000000       | mov                 dword ptr [ebp - 0x18], 0
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx
            //   c645fc02             | mov                 byte ptr [ebp - 4], 2

        $sequence_1 = { 8b4dd4 e8???????? 83c048 50 8d55d8 }
            // n = 5, score = 400
            //   8b4dd4               | mov                 ecx, dword ptr [ebp - 0x2c]
            //   e8????????           |                     
            //   83c048               | add                 eax, 0x48
            //   50                   | push                eax
            //   8d55d8               | lea                 edx, [ebp - 0x28]

        $sequence_2 = { e8???????? 33c0 8845bb c745c488020000 6888020000 e8???????? 83c404 }
            // n = 7, score = 400
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   8845bb               | mov                 byte ptr [ebp - 0x45], al
            //   c745c488020000       | mov                 dword ptr [ebp - 0x3c], 0x288
            //   6888020000           | push                0x288
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_3 = { 83c404 8b08 51 e8???????? 83c410 }
            // n = 5, score = 400
            //   83c404               | add                 esp, 4
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10

        $sequence_4 = { 8845d7 8b4d08 e8???????? 0fb6c8 85c9 0f85f6000000 8b5508 }
            // n = 7, score = 400
            //   8845d7               | mov                 byte ptr [ebp - 0x29], al
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   e8????????           |                     
            //   0fb6c8               | movzx               ecx, al
            //   85c9                 | test                ecx, ecx
            //   0f85f6000000         | jne                 0xfc
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_5 = { 8d45e8 50 8b4d0c 51 e8???????? 83c404 50 }
            // n = 7, score = 400
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   50                   | push                eax
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   50                   | push                eax

        $sequence_6 = { 33c0 8945e8 668945ec b902000000 6bd100 668b450c }
            // n = 6, score = 400
            //   33c0                 | xor                 eax, eax
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   668945ec             | mov                 word ptr [ebp - 0x14], ax
            //   b902000000           | mov                 ecx, 2
            //   6bd100               | imul                edx, ecx, 0
            //   668b450c             | mov                 ax, word ptr [ebp + 0xc]

        $sequence_7 = { 894508 8b4d08 3b4d0c 7427 8b5508 }
            // n = 5, score = 400
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   3b4d0c               | cmp                 ecx, dword ptr [ebp + 0xc]
            //   7427                 | je                  0x29
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_8 = { 8965d8 8b45e4 83c00c 50 e8???????? e8???????? 8b4de4 }
            // n = 7, score = 400
            //   8965d8               | mov                 dword ptr [ebp - 0x28], esp
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   83c00c               | add                 eax, 0xc
            //   50                   | push                eax
            //   e8????????           |                     
            //   e8????????           |                     
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]

        $sequence_9 = { 8b55e0 52 6a01 8b4df0 e8???????? c645fc03 8d8d38ffffff }
            // n = 7, score = 400
            //   8b55e0               | mov                 edx, dword ptr [ebp - 0x20]
            //   52                   | push                edx
            //   6a01                 | push                1
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   e8????????           |                     
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   8d8d38ffffff         | lea                 ecx, [ebp - 0xc8]

    condition:
        7 of them and filesize < 1433600
}
Download all Yara Rules