Home Articles Understanding the New Medusalocker Ransomware

Understanding the New Medusalocker Ransomware


A new ransomware named MedusaLocker has been infecting victims from all over the world. Read on to know more…

MedusaLocker Ransomware is the latest addition to the long list of ransomwares that came up in the year 2019. A new ransomware named MedusaLocker has been observed by security researchers to be infecting victims from all over the world. Researchers are still puzzled about its channel of distribution, but reports suggest that users around the globe are getting infected rapidly by this newbie. This new ransomware was found by MalwareHunterTeam at the end of September 2019.

Working Mechanism
In order to prepare the infected system for encryption, the Medusalocker ransomware performs several activities. It first creates a Registry value ‘EnableLinkedConnections’ under a certain path and sets it to ‘1’ to access mapped drives in UAC launched processes. Then, it has been observed to restart the LanmanWorkstation service to ensure that Windows networking is running. This also verifies that mapped network drives are accessible by the ransomware.

Processes including DefWatch, wrapper, and tomcat6, among others, are terminated to shut down security programs. This enables all data files to be accessible for encrypting. As the final step, it clears Shadow Volume Copies of files, like most ransomware. This is to make sure that the files cannot be restored. Then, the MedusaLocker scans files and ignores those with certain extensions such as .exe or .rdp. It also ignores files present in certain folders. All other files will be encrypted using AES encryption.

One of these extensions — breakingbad, .locker16, .newlock, .bomber, .nlocker, .skynet, .boroff, .encrypted — will be appended to the encrypted files. The choice of the extension depends on the ransomware variant.

MedusaLocker performs a number of startup routines that prep infected computers for encryption. “It will create the Registry value EnableLinkedConnections under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System registry key and set it to 1. This is done to make sure mapped drives are accessible even in a UAC launched process,” explains BleepingComputer owner Lawrence Abrams in the report. “It will also restart the LanmanWorkstation server in order to make sure that Windows networking is running and that mapped network drives are accessible.”

Following the encryption, the ransomware sleeps for a minute before scanning for additional files to encrypt and creates persistence by setting a scheduled tasks that re-launches the program every half hour.

A ransom note named ‘HOW_TO_RECOVER_DATA.html’ is created. This contains two email addresses to contact for instructions about payment. The ransom note is created in each folder that has an encrypted file.

After Effects
The attackers also attempt to intimidate victims by telling them they will permanently lose their data if they attempt to change their files, or use decryptors, third-party data recovery software or anti-virus solutions. They also urge victims to act quickly, before the attackers’ email addresses are blocked and there is no longer a way to communicate with them.

Currently, the method of distribution for MedusaLocker ransomware is not known. Details such as mode of distribution, ransom value, and if a decryptor is actually provided after payment are also not yet known. This malware is still under analysis, and researchers haven’t yet published a way to decrypt files infected with MedusaLocker.


Please enter your comment!
Please enter your name here

+ 11 = 16