Unmasking MedusaLocker Ransomware

Alarming increase in MedusaLocker Ransomware Victims

MedusaLocker ransomware has been active since September 2019. MedusaLocker actors typically gain access to victims’ networks by exploiting vulnerabilities in Remote Desktop Protocol (RDP).

Once Threat Actors (TAs) gain access to the network, they encrypt the victim’s data and leave a ransom note with instructions on how victims can communicate with the TAs in every folder while encrypting files. The ransom note tells victims to make a ransom payment to TA’s crypto wallet address.

MedusaLocker appears to work on Ransomware-as-a-Service (RaaS) model, which allows cybercriminals to rent the ransomware and its services from the developer. In the RaaS model, ransomware operators develop the ransomware and a Command and Control panel which is then used by the affiliates to launch ransomware attacks on the targets selected by their affiliates. After a successful operation, the ransomware operators and affiliates divide the ransom extorted from victims.

Figure 1 illustrates the countries that have been targeted by the ransomware group since January 2023, with a total of 24 victims worldwide.

Figure 1 – Map Showing Targets of MedusaLocker

MedusaLocker ransomware gang is known to target Hospital and Healthcare industries, but additionally, the gang also targets industries such as Education and Government organizations.

The figure below shows the industries targeted by the MedusaLocker Ransomware.

Figure 2 – Industries Targeted by MedusaLocker

The United States of America is the biggest target for all ransomware groups; MedusaLocker also follows this trend, where the largest numbers of the victims are from the United States of America.

However, victims of MedusaLocker ransomware are scattered across all continents, excluding Antarctica. The figure below shows the countries of the affected targets.

Figure 3 – Countries Targeted by MedusaLocker

Technical Details

According to CISA, the MedusaLocker ransomware group gains initial access to the victim’s device through vulnerable Remote Desktop Protocol (RDP) configurations. The TAs also use phishing and spear phishing emails in their campaigns to target possible victims.

The malware sample we have identified is a 32-bit Graphical User Interface (GUI) based executable compiled with Microsoft Visual C/C++, with a SHA 256 hash of “1658a064cb5a5681eee7ea82f92a2b7a14f70268dda3fc7aad8a610434711a8f” (shown in the figure below).

We will be performing an analysis of this ransomware executable to gain insights into its operations.

Figure 4 – MedusaLocker File Details

Mutex Creation:

Upon execution, the MedusaLocker creates a mutex, or mutual exclusion object, as a locking mechanism to prevent two threads from writing to shared memory simultaneously and to avoid reinfection of the victim.

The name of the mutex is “8761ABBD-7F85-42EE-B272-A76179687C63”. It is hardcoded into the binary, as shown in the figure below.

Figure 5 – MedusaLocker Creating Mutex

Checking for Administrative Privileges:

After acquiring the mutex, the ransomware checks for the privilege of its running process. MedusaLocker requires administrative privileges in order to carry out its malicious operations without any restrictions. To determine the current privileges, the ransomware checks its own memory for a process token.

To do this, it obtains the current process and then extracts the token information from the process memory using the GetTokenInformation() function. The code for checking the process’s privileges is shown in the figure below.

Figure 6 – MedusaLocker Checking for Admin Privileges

Privilege Escalation:

The ransomware checks whether the process is currently running with administrative privileges. If the process is not running with admin privileges, the ransomware employs a User Account Control (UAC) bypass technique to restart itself with elevated privileges.

This technique uses the Microsoft Connection Manager Profile Installer (CMSTP.exe), a command-line program to install Connection Manager service profiles. CMSTP is used to execute malicious code by routing it through a proxy server.

An illustration of this technique is shown in the figure below.

Figure 7 – MedusaLocker Performing Privilege Escalation

Disabling UAC Prompt:

The ransomware then attempts to disable the UAC prompt so that the system will not prompt for authentication. To do this, it modifies the “EnableLUA” registry value located at SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System to “0”. This stops UAC prompts if the process requires higher privileges to execute.

If the registry modification fails, the ransomware changes the “ConsentPromptBehaviorAdmin” registry value to “0”, allowing it to perform operations that require elevation without consent or credentials.

The code to disable the UAC prompt is shown in the figure below.

Figure 8 – MedusaLocker Disabling UAC Prompt

Marking the Infected System:

After disabling the UAC prompt, MedusaLocker marks the infected system with the registry key. MedusaLocker creates a value “Self” in the registry key HKEY_CURRENT_USER\SOFTWARE\MDSLK\ and sets the data as “svchost.exe” to the registry value, indicating that the system has already been infected by the MedusaLocker ransomware.

The figure below shows the registry entry.

Figure 9 – MedusaLocker creating registry marker

Cryptor Initialization:

The ransomware now initializes Cryptor, which performs AES-256 encryption on the victim’s files at a later stage. MedusaLocker ransomware contains an embedded public key which is encoded with Base64 and used to initialize the Cryptor.

The figure below shows the Base64 string.

Figure 10 – MedusaLocker Initializing Encryption


Now, the ransomware achieves persistence on the victim’s system by dropping itself into the “AppData” folder as “svhost.exe”. The figure below shows the ransomware code to drop itself in the AppData Folder.

Figure 11 – MedusaLocker dropping itself in AppData Folder

Additionally, the MedusaLocker Ransomware creates a Schedule Task entry in the system and launches itself every 15 minutes for an indefinite period.

The figure below shows the Schedule Task entry of the MedusaLocker Ransomware.

Figure 12 – MedusaLocker Creating Scheduled Task Entry

System Volume Enumeration:

After persistence, the ransomware enumerates all the logical drives in the system for further operations. The figure below shows the malware’s routine for Enumerating Volumes in the system using the FindNextVolumeW() API.

Figure 13 – MedusaLocker Enumerating the Volume Drives

Stopping Services:

To avoid detection and ensure efficient encryption on the victim’s machine, the MedusaLocker Ransomware also terminates various running services, including antivirus, database, and other utility services. This is done through a hardcoded list of services checked by the ransomware using the QueryServiceStatusEx() function. If any of the hardcoded services are found running, they are stopped using CloseServiceHandle().

The figure below shows the routine for stopping services.

Figure 14 – MedusaLocker Stopping Services

The following table shows the targeted services


Process Termination:

After killing the predefined services, the ransomware enumerates the running processes using the CreateToolhelp32Snapshot() function and then terminates the relevant process using the TerminateProcess() function.

This is done by checking a hardcoded list of processes identified as being related to antivirus, databases, and other utility programs. After the processes have been identified, the ransomware will terminate them to prevent any interference with the encryption process.

The figure below shows the routine used to terminate the relevant processes.

Figure 15 – MedusaLocker Terminating Processes

The processes targeted by the MedusaLocker ransomware are as follows:


Disabling Data Recovery:

The Ransomware now utilizes inbuilt tools to delete the backups from the victim’s system. It runs the command prompt and executes commands that remove the shadow copies and system backups, making it impossible to recover the data from the infected system. As a result, the victim is compelled to pay the ransom in order to regain access to their data.

The figure below shows the commands executed by the MedusaLocker.

Figure 16 – MedusaLocker Removing the Backup from the victim’s system

Additionally, the ransomware executes the SHEmptyRecycleBinW() API to clear the Recycle Bin, effectively obstructing the victim’s ability to restore any deleted files. The code for this is shown in the figure below.

Figure 17 – MedusaLocker Emptying the Recycle Bin

Excluding Folders from Encryption:

After impairing data recovery, the ransomware creates a list of folders to exclude from encryption. This ensures that the important executables and temporary files used for normal operations are not encrypted while data files are still encrypted.

The figure below shows the code for the excluded file paths.

Figure 18 – MedusaLocker Excluding Important Folders

Data Encryption:

The ransomware now begins encrypting the files in the victim’s machine. The data is encrypted using the AES 256 encryption algorithm, with the encryption key further encrypted by the RSA public key embedded in the ransomware. Without the private key, it is impossible to decrypt the AES key.

The figure below shows the code to encrypt the files.

Figure 19 – MedusaLocker’s Encryption Routine

When encrypting each file, the ransomware leaves a ransom note in the folder and adds the extension ‘itlock4’. It also excludes multiple file extensions such as .exe, .dll, .sys, .ini, .rdp, etc. files from encryption.

The figure below shows the encrypted files and ransom note.

Figure 20 – MedusaLocker Ransom note and Encrypted Files

In the end, MedusaLocker Ransomware presents the ransom note to its victims. The ransom note includes a personal ID for the victim’s identification and a Tor contact page to facilitate negotiations and decrypt sample files.

The figure below shows the ransom note of MedusaLocker.

Figure 21 – Ransom note Dropped by the MedusaLocker Ransomware

Network Activities:

The MedusaLocker checks the active network adaptor and uses Internet Control Message Protocol (ICMP) to scan for all connected systems.

The figure below depicts the ransomware using ICMP to scan for connected systems.

Figure 22 – MedusaLocker Enumerating the Network using ICMP Protocol

After enumeration, the ransomware scans for SMB shares connected to the system. It creates a list of SMB shares, excluding any hidden shares indicated by a name starting with “$”.

The code for this scanning process is shown in the figure below.

Figure 23 – MedusaLocker enumerating the SMB Shares

Eventually, the ransomware propagates to all shared resources and proceeds to infect other connected systems within the network.


MedusaLocker ransomware is a highly sophisticated form of malicious software that can potentially cause severe data losses and financial losses for its victims. This advanced ransomware is difficult to detect and stop, and its encryption algorithms are extremely difficult to break.

There have been numerous attacks in a short period of time, targeting all kinds of industries and geographic locations. More attacks from the MedusaLocker Ransomware are expected to occur in the future.

Our Recommendations

The following essential cybersecurity best practices create the first line of control against attackers. We recommend that our readers follow the best practices as given below:

  • Frequent Audits, Vulnerability Assessments, and Penetration Testing of organizational assets, including network and software.
  • Monitor incoming emails from suspicious and potentially malicious domains.
  • Back-up data on different locations and implement  Business Continuity Planning (BCP). Keeping the Backup Servers isolated from the infrastructure helps fast data recovery.
  • Enforcement of VPN to safeguard endpoints.
  • Conduct frequent training on security awareness for the company’s employees to inform them about emerging threats.
  • Implementation of technology to understand the behavior of the ransomware-malware families and variants to block malicious payloads and counter potential attacks.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1133
External Remote Services
PersistenceT1053.005  Scheduled Task/Job: Scheduled Task
Privilege EscalationT1548.002Abuse Elevation Control Mechanism: Bypass User Account Control
Defense EvasionT1562.001Impair Defenses: Disable or Modify Tools
DiscoveryT1135Network Share Discovery
ImpactT1486Data Encrypted for Impact

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
MedusaLocker Executable
MedusaLocker Executable
MedusaLocker Executable
MedusaLocker Executable
MedusaLocker Executable
MedusaLocker Executable
MedusaLocker Executable
MedusaLocker Executable
81467ca16e87dfacd9c965f105fb5b30548f1ded e0221e692fa3476cb2d862c1aee07f3e87d83411ef9a534fdf8d20efbaee0394
MedusaLocker Executable
d9390b6c1478970a9e7b8a3fe854a42efdc582f6 79e009e12ba6d60665faf5bdd523d80f0fe6be28694914cf0fa64929b4052e67
MedusaLocker Executable

Recent Blogs


CRIL analyzes an ongoing campaign by SideCopy APT group targeting the Defense Research and Development Organization(DRDO) of the Indian government.

Read More »

Cyble reflects on the identification of a forum administrator and two cybercriminals and how it impacts the wider cybercrime ecosystem.

Read More »

Cyble analyzes the recent Emotet campaign, which utilizes OneNote attachments as a novel approach to infect users.

Read More »
Scroll to Top