Home News MedusaLocker Ransomware Decoded

MedusaLocker Ransomware Decoded

ransomware, ryuk ransomware, cox media

MedusaLocker Ransomware is the latest addition to the long list of ransomwares that came up in the year 2019. Researchers are still puzzled about its channel of distribution, but reports suggest that users around the globe are getting infected rapidly by this newbie.

An independent research led by Malware Hunter Team stated the various steps that MedusaLocker Ransomware follows to prep the user’s system for encryption.

  • It first creates a Registry value ‘EnableLinkedConnections’ under a certain path and sets it to ‘1’ to access mapped drives in UAC launched processes.
  • It then restarts the LanmanWorkstation service to ensure that Windows networking is running and further verifies that mapped network drives are accessible to the ransomware.
  • Multiple processes including DefWatch, sqlservr, wrapper, and others, are terminated to shut down security programs ensuring all data files are accessible for encryption.
  • Like most ransomwares, it then clears Shadow Volume Copies of files in the final step. Clearing Shadow Volume Copies ensures that all backups are rendered ineffective and backup files cannot be restored.
  • It then scans files ignoring those with certain extensions (such as .exe, .dll, .sys, .ini, .lnk .rdp) and/or certain files present in specific folders. All other files get encrypted.

It is also found that the files are getting encrypted using AES encryption. Encrypted files have file extensions such as, “.encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, .skynet”. MedusaLocker also creates a scheduled task on the victim’s computer. This means it will auto-run after every 30 mins, scan for new files and encrypt these new files.

Ironically, for user convenience, MedusaLocker creates a ransom note named as HOW_TO_RECOVER_DATA.html or Readme.html. The note says, “Your files are encrypted and currently unavailable. You can check it: all files on your computer has a new expansion. By the way, everything is possible to recover (restore), but you need to buy a unique decryptor. Otherwise, you can’t return your data.” It further talks about trust and guarantee, “It’s just a business. If we do not do our work and liabilities – nobody will cooperate with us.”

Ransomware cripples the victim and makes him feel handicapped. In a recent story, a victim of the Muhstik Ransomware attack had his sweet revenge by hacking the hacker back. He even released 3,000 decryption keys along with a decryptor tool so that other affected victims of the ransomware attack would get their files back. Fingers crossed; we hope someone does the same with MedusaLocker Ransomware.