MedusaLocker is a ransomware family that has been observed being deployed since its discovery in 2019. Since its introduction to the threat landscape, there have been several variants observed. However, most of the functionality remains consistent. The most notable differences are changes to the file extension used for encrypted files and the look and feel of the ransom note that is left on systems following the encryption process.

While most of MedusaLocker’s functionality is consistent with other modern ransomware families, there are features that set MedusaLocker apart from many of the other ransomware families commonly observed.

  • MedusaLocker can encrypt the contents of mapped network drives that may be present on infected systems.
  • It manipulates Windows functionality to force network drives to be remapped so that their contents can also be encrypted.
  • The malware uses ICMP sweeping to profile the network to identify other systems that can be used to maximize the likelihood of a ransom payment.

MedusaLocker can also perform ICMP sweeping to identify other systems on the same network. If the malware is able to locate them, MedusaLocker then attempts to leverage the SMB protocol to discover accessible network locations and if files are discovered in those locations, they are also encrypted and ransomed in the same manner as other locally stored data.


MedusaLocker features characteristics typical of ransomware that is commonly seen across the threat landscape. Upon execution, it copies itself to the %APPDATA%\Roaming\ directory.

To achieve persistence, the malware creates scheduled tasks within Windows to execute the PE32 that was previously stored in %APPDATA%\Roaming.

Interestingly, the scheduled task is also configured to be executed every 15 minutes after the initial infection process, likely as a way to continue to maintain the ability to impact files and other data after the initial run of the ransomware.

As previously mentioned, the malware is configured to iterate through disk partitions that may be present and accessible on the infected system and encrypting the contents.

Files that are encrypted have a new file extension appended to them. As there are several variants currently being observed across the threat landscape this file extension varies. In the case of the sample analyzed that file extension was “.encrypted.”

Additionally, in each directory in which the malware discovers data to be encrypted, a ransom note is saved titled “HOW_TO_RECOVER_DATA.” This ransom note functions similarly to the ransom notes we’ve grown accustomed to seeing — it provides victims with instructions for contacting the threat actor to facilitate payment of their ransom demands.

The ransom notes vary across samples and feature slightly different HTML styling.

In order to minimize the ability for victims to easily recover from MedusaLocker, the “vssadmin” utility built into the Windows operating system is used to delete shadow copies, a technique very commonly used by different ransomware families.

As previously mentioned, the malware also attempts to perform network-based discovery to identify accessible locations in which additional files can be encrypted using ICMP.

If additional hosts are discovered, the malware uses SMB to enumerate shared data storage locations that the infected system may be able to connect to.

Additionally, the malware makes use of the Windows registry in an attempt to force an infected system to reconnect to shared network drives to facilitate the encryption of additional data.

One of the binaries analyzed also contained the following debug artifacts.

Given the network awareness present within MedusaLocker, the amount of damage that a single infected system could do inside of a corporate environment is high.

One interesting characteristic present across MedusaLocker samples is a static list of mutexes that the malware uses. The following hardcoded mutex values were identified during our analysis of a large number of MedusaLocker samples.


Organizations may consider leveraging mutex blacklisting as an additional way to protect systems against MedusaLocker infections as this would effectively block the execution of any applications attempting to use these hardcoded values and prevent successful infection from taking place.


To defend against MedusaLocker, it is important to ensure a well-organized, multi-layered cybersecurity program is in place within your organization.

  • Email and spam filters are critical in the case of MedusaLocker as email is one of the malware distribution vectors commonly abused by attackers.
  • Perform regular updates and system hardening as MedusaLocker attempts to encrypt the contents of SMB shares as well as local storage devices.
  • Give employees regular phishing training and conduct regular awareness programs.
  • Employ strong password policies and use multi-factor authentication, such


Organizations should be prepared to defend against this and other ransomware attacks. The emergence of “big game hunting” has proven that simply having backup and recovery strategies is not enough. Organizations should also leverage a robust defense-in-depth strategy to protect their environments from malware such as MedusaLocker. Ransomware developers continue to add functionality that enables them to maximize the damage they can inflict upon corporate networks in an effort to increase the likelihood of receiving a ransom payment from victims. This trend is likely to continue, and organizations should have response and recovery plans in place to ensure that they can resume normal operations following destructive attacks such as this.

Email Security can block malicious emails sent by threat actors as part of their campaign.

Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. The following SIDs have been released to detect this threat: 53662-53665.