Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Oct 2021

How to remove Medusabtc ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Linas Kiguolis · Expert in social media

Medusabtc ransomware is a file-locking virus that delivers its ransom note in Portuguese

Medusabtc ransomware

Ransomware is a devastating type of malware: it locks all pictures, videos, documents, and various kinds of other most common files and then asks victims to pay money for their return. The surge of ransomware infections has been drastic in the past years, and the number of attacks against home users and corporations is growing every year. Security experts have observed new strains emerging almost daily, while already established ones deliver new versions regularly.

Medusabtc virus comes from the family of Xorist, a ransomware family that was first introduced as early as 2012. Since then, we have seen multiple new variants emerging over time, including Dulgtv, Locks, McafeeZaLtOn, and many others. It is evident that the attackers won't stop any time soon, and users should be aware of that.

Once installed on Windows, the malware uses a strong encryption algorithm such as TEA[1] to lock all personal files. During this process, they are stripped of their default icons and the extension .Medusabtc is appended. Victims then have to face reality and realize that their data is no longer usable. It is important to note that the files are not corrupted but locked behind a complex password generated to each user individually.

Of course, the attackers are unwilling to provide the decryption key for free and ask to pay up using Bitcoin. While it is unclear how much cybercriminals want, malware's previous versions are known to ask for approximately $600, although this can greatly vary from victim to victim. Regardless of this, they won't provide a decryptor for free.

Also, attackers provide contact emails for communication purposes – medusabtc@protonmail.com and btcpaynow@protonmail.com, which are meant to be used in order to negotiate the precise price. This information can be found in a ransom note HOW TO DECRYPT FILES.txt, generated on the dewhenoon as the encryption process is finished. Also, a pop-up message titled “Error” immediately appears on the desktop to grab users' attention.

Both messages are written in Portuguese, which brings to the conclusion that this malware variant is likely to be targeted at users living in countries that use the language. However, since malware can use distribution techniques that could reach random targets, users who can't speak Portuguese might also be affected.

Name Medusabtc virus
Type Ransomware, data locking malware, cryptovirus
Malware family  Xorist
File extension .medusabtc is appended to each of the personal files 
Ransom note HOW TO DECRYPT FILES.txt and “Error” titled pop-up
Contact medusabtc@protonmail.com or btcpaynow@protonmail.com
Ransom demand Not provided, although the attackers have a set date that victims are encouraged to contact them for a decryptor
File Recovery If no backups are available, recovering data is almost impossible. We recommend you try alternative methods, which we list below
ransomware removal Before you attempt file recovery, you should remove malware with the help of powerful security software, such as SpyHunterCombo Cleaner
System fix Malware can seriously tamper with Windows systems, causing errors, crashes, lag, and other stability issues after it is terminated. To remediate the OS and avoid its reinstallation, we recommend scanning it with the FortectIntego repair tool

The ransom note explained

There are many types of malware, each of which operates differently. For example, stealthier parasites such as backdoors or data-stealers are known to be particularly sneaky, as their main goal is to run in the background and perform whatever actions they were programmed for as long as possible without being noticed by the user.

However, ransomware is not the one to hide, at least not after it has done its deed and encrypted the files. It is true that people might get infected via malicious emails or software vulnerabilities, which result in stealthy infiltration. After malware does its job, it usually makes sure that the victims find out about the infection as soon as possible in order to increase the chances of ransom payment.

For that reason, the Medusabtc virus generates a ransom note and places it on the desktop, as well as into all the directories of locked files. As mentioned, the note is written in Portuguese:

Todos arquivos estão criptografados se tornaram .medusabtc
a unica forma para arquivos/sistema voltar ao normal é
obter chave especial + decryptor
entre em contato com nossa equipe atraves dos dois emails com ID
vou te enviar chave especial + decryptor por apenas uma pequena taxa

e-mail: medusabtc@protonmail.com ID–
e-mail: btcpaynow@protonmail.com

obs:1 não há necessidade de formatar
2 não renomeie a extensão do arquivo,
3 não poste esta mensagem de resgate em nenhum site,
4 não delete os arquivos criptografados
este email é o único contato. se você postar a mensagem de resgate,
o e-mail será bloqueado e você não receberá a chave exclusiva.

contacte-nos em até XX/XX/2021 não perca tempo

In short, the attackers say that none of the encrypted files should be modified and provide emails that should be used for contact. They also say that the message shouldn't be posted anywhere on the internet, as then the crooks would delete the decryption key and file recovery would be impossible. They also provide a date before the decryption key would allegedly be deleted permanently.

Medusabtc virus

While some crooks tend to convince users with a somewhat friendly demeanor (for example, Djvu variants such as Vtua), plenty of malware authors use fear and panic as their main weapons – they try to intimidate people and make them avoid seeking help from experts.

However, you should avoid contacting the attackers, as you might never hear from them again, even if you pay the money. They might also ask you to pay more or send you a tool that does not work. Due to this, you might lose not only your files but also your money. Instead, please check below for the instructions you should follow.

Use security software to remove the infection

To prevent the ransomware from corrupting your data and remove the infection carefully, you should access Safe Mode and perform a full system scan with SpyHunterCombo Cleaner or MalwarebytesMalwarebytes anti-malware. Before you do this, disconnect your computer from the internet – you can simply plug out the ethernet cable or disconnect your WiFi via a system tray.

Windows 7 / Vista / XP

  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list.Windows XP/7

Windows 10 / Windows 8

  1. Right-click on the Start button and select Settings.
  2. Scroll down to pick Update & Security.
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find the Advanced Startup section.
  5. Click Restart now.Recovery
  6. Select Troubleshoot.Choose an option
  7. Go to Advanced options.Advanced options
  8. Select Startup Settings.Startup settings
  9. Click Restart.
  10. Press 5 or click 5) Enable Safe Mode with Networking.Press F5 to enable Safe Mode with Networking

Data recovery process

Most users who get infected with ransomware have never encountered it before, so they are not completely sure how it all works. Once people see that they are unable to open any files, they might straight out panic. While it is true that the encryption process is done securely, it does not mean that the files are corrupted.

At the same time, it is important to note that anti-malware would not restore the .medusabtc files into their previous state. This is because security software is simply not designed for that. There is a type of software that was made to recover lost files, although it might not always work for ransomware. Nonetheless, we recommend you try it.

1. Use recovery Software

Important: Before you proceed, make sure you make a backup of all the encrypted files, as they might get corrupted in the process

  • Download Data Recovery Pro.
  • Double-click the installer to launch it.
  • Follow on-screen instructions to install the software.Install program
  • As soon as you press Finish, you can use the app.
  • Select Everything or pick individual folders where you want the files to be recovered from.
  • Press Next.
  • At the bottom, enable Deep scan and pick which Disks you want to be scanned.Select Deep scan
  • Press Scan and wait till it is complete.
  • You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
  • Press Recover to retrieve your files.Recover files

2. Find a decryptor

Free decryptors are also sometimes created by security researchers. For that to happen, there needs to be some type of flaw within malware's encryption method or the servers belonging to the attackers might be seized. There is no guarantee that a decryption tool for this virus version will be ever created but we recommend visiting the following websites:

Unfortunately, there is no way to confirm that alternative decryption solutions will work for you, as they depend on many factors. 

Repair system files

Ransomware can negatively impact Windows system files, damaging them. New ransomware strains are more prone to bugs due to hackers' lack of inexperience, so it can mess up your computer really quickly. Unfortunately, security software cannot fix damaged system components, which might later result in system crashes, errors, and other issues. Therefore, we strongly recommend you run a PC repair software after the infection to remediate Windows and avoid the reinstallation of the OS.

  • Download FortectIntego
  • Click on the ReimageRepair.exe
    Reimage download
  • If User Account Control (UAC) shows up, select Yes
  • Press Install and wait till the program finishes the installation processReimage installation
  • The analysis of your machine will begin immediatelyReimage scan
  • Once complete, check the results – they will be listed in the Summary
  • You can now click on each of the issues and fix them manually
  • If you see many problems that you find difficult to fix, we recommend you purchase the license and fix them automatically.Reimage results

Ways to avoid ransomware infections

Xorist ransomware has been around for many years, and that there have been different methods that it was distributed. Most of the time, cybercriminals rely on methods that are proven to be successful, although innovations, such as fileless infections that occur in the memory,[2] are also practiced in some cases.

Here are a few tips from security researchers[3] that should help you avoid being infected in the future and negate ransomware effects:

  • Backup your personal files;
  • Use SpyHunterCombo Cleaner, MalwarebytesMalwarebytes, or another reputable software at all times – make sure it is updated as necessary;
  • Don't ignore warnings from security software and don't assume it's a false positive;
  • Never download software cracks or pirated programs from illegal websites;
  • Update all software, including your operating system, as soon as the updates are available;
  • Use strong passwords for all your accounts and never reuse them;
  • Use official sources to download software.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.