MedusaLocker ransomware is the malware that encodes valuable personal files and blackmails victims into paying the ransom
MedusaLocker ransomware is the cryptovirus that demands payment for the recovery of data marked using .encrypted extension.
MedusaLocker ransomware is the cryptovirus that emerged at the end of September 2019 and is designed to encrypt data and mark each file with a generic .encrypted file extension. However, this malware form might also user other appendixes such as .bomber, .locker16, .newlock, .boroff, .breakingbad, .nlocker, .skynet. Once MedusaLocker ransomware locks up files by using the combination of RSA 2048 and AES algorithms, the cyber threat waits for 1 minute and then repeats the encryption process in case some data has been left untouched. Once this primary process is done, a money-demanding message appears on the screen via the HOW_TO_RECOVER_DATA.html or Readme.html file. The browser window shows a brief message about a ransomware attack and informs that people should buy a decryptor to get their files restored. Unfortunately, such offers are not serving in the favor of victims because since criminals are focused on getting money, they don't care about your belongings or lost files and money. In most cases, the decryption tool is not sent for the person that paid the ransom, so files remain corrupted, and money is lost. Even the decryption test is offered to fake the feeling of trust between criminals and victims.
Questions about MedusaLocker ransomware
We should also note that contacting MedusaLocker ransomware virus developers is a bad idea. The window with information, test decryption offer, and alleged guarantees criminals also include contact emails Folieloi@protonmail.com,
Ctorsenoria@tutanota.com. Sometimes the email addresses might also be email@example.com and firstname.lastname@example.org. Contacting criminals can lead to permanent data and money loss, so you should restrain from that option and get rid of the virus instead.
|release date||Security experts have discovered this malware at the end of September this year|
|Ransom note||Once data is locked, the cybercriminals provide information on the encryption process and talk about ransom demands via HOW_TO_RECOVER_DATA.html|
|Symptoms||After the infiltration, the malware makes files useless by encrypting them. The ransom demand appears immediately after that, and criminals ask for a payment that should help them to get files back. Additional processes and installed files, disabled programs affect the performance of an infected machine|
|Contact email@example.com, firstname.lastname@example.org|
|File marker||.encrypted is the file extension that shows up at the end of every file encrypted by the intruder. Photos, documents, audio or video files become unopenable and useless after such encoding. Some variants can come with .skynet, .bomber, .locker16, .newlock, .boroff, .breakingbad, .nlocker apendixes|
|Distribution||Infected files delivered on the system via spam email attachments or torrent files packaged with software or video game cracks. Also, malicious sites with malware code droppers can lead to such infiltrations and trojans, worms, threats designed to spread crypto-malware around. Nevertheless, hacked RDPs that include vulnerable security do great for malware infiltration|
|additional capabilities||The malware fills the Windows Registry with entries and drops files on the computer system that allow the ransomware to boot up automatically, avoid antimalware detection, etc. The virus also deletes the backups that were created with Windows Backup services, eliminates Shadow Volume Copies, etc.|
|Elimination||Anti-malware tools can help to remove MedusaLocker ransomware. Reimage Reimage Cleaner Intego should also give the advantage in such a process and virus damage elimination|
Various antivirus engines have scanned the svchostt.exe file that is brought by MedusaLocker ransomware into the system and 52 out of 70 AV products found this component malicious. These are some of the generated detection names:
- Win32:Malware-gen (Avast and AVG);
- Trojan.FileCoder (A) (Emsisoft);
- Trojan.GenericKD.41882000 (BitDefender);
- Ransom.Medusa (Malwarebytes);
- Trojan.DownLoader30.26418 (DrWeb);
- Ransom.Win32.MEDUSA.THJAFAI (Trend Micro).
MedusaLocker ransomware is the virus that operates in the background and until your files get encrypted and marked using a unique file extension, you cannot notice the infiltration and virus attack. Unfortunately, encryption is the first thing ransomware starts with.
MedusaLocker ransomware is the virus that focuses on getting payments from victims, so it encodes documents, images, and even archives.
In most cases, your files get immediately affected once the threat checks the system for other malware and indications that should note not to encrypt data further. Other file-locking based threats avoid encrypting files in particular devices that are located in countries with particular laws.
You should note that MedusaLocker ransomware delivers the ransom note after the locking, but this is not the end of a ransomware attack. Once the message is delivered in the HOW_TO_RECOVER_DATA.html browser window other processes running the background of the machine. The note looks like this:
All your data are encrypted!
Your files are encrypted, and currently unavailable.
You can check it: all files on you computer has new expansion.
By the way, everything is possible to recover (restore), but you need to buy a unique decryptor.
Otherwise, you never cant return your data.
For purchasing a decryptor contact us by email:
If you will get no answer within 24 hours contact us by our alternate emails:
Its just a business. If we do not do our work and liabilities – nobody will not cooperate with us.
To verify the possibility of the recovery of your files we can decrypted 1 file for free.
Attach 1 file to the letter (no more than 10Mb). Indicate your personal ID on the letter:
– Attempts of change files by yourself will result in a loose of data.
– Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.
– Use any third party software for restoring your data or antivirus solutions will result in a loose of data.
– Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.
– If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause just we have the private key.
While you decide to pay the ransom and recover your files or remove MedusaLocker ransomware, malware places files in system folders, disables functions, security tools, installs programs and even additional malware to keep various processes affecting the already-infected device.
MedusaLocker ransomware can interfere with anti-malware tools, the performance of your security services, applications and delete particular files needed for the removal or data recovery. For example, when Shadow Volume Copies get deleted, you have fewer chances to recover encoded files by yourself. The first thing you can try to do is find a decryption tool for this threat. There are many researchers and experts that focus on analysis and decryption tool development. So you should pack all the files of MedusaLocker ransomware, related threats and other applications on an external device.
MedusaLocker - a dangerous malware form that drops various entries and files on the infected computer system to automatically boot itself, perform encryption, and avoid antivirus detection
Then you can go further with MedusaLocker ransomware removal and store malware files for the later use when the software is released for the consumers. Official decryption tools are the ones that can help with your files besides all the manual methods and third-party software.
As for the virus elimination, you need an anti-malware tool that could terminate MedusaLocker ransomware, associated programs, fix the damage and delete traces completely off of the PC. Antivirus like Reimage Reimage Cleaner Intego cannot decrypt files or recover them tough. However, such software might help you to get rid of damage from your Windows machine.
A deeper look into MedusaLocker ransomware operation module
MedusaLocker ransomware is a much more complicated malware than it might seem from the first view. According to a deeper investigation, this file-encrypting virus carries a complex module and is capable of launching various commands that make the ransomware even more successful.
Once MedusaLocker virus enters the system, it drops the EnableLinkedConnections component under this registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System and sets it as the top one. This allows hackers launching mapped devices even in the UAC mode. To ensure that these devices are available and that Windows networking is operating perfectly, the malware reboots the service named LanmanWorkstation. MedusaLocker also places its own entry named HKCU\SOFTWARE\Medusa in the Windows Registry.
Afterward, the dangerous threat will be in search of security-related files that deleted allow the ransomware to prevent antimalware detection and successfully perform data encryption. Continuously, MedusaLocker ransomware eliminates Shadow Volume Copies of the locked data, deletes all file backups that were performed using Windows backup, and deactivates the Windows automatical startup repair to prevent users from recovering data by themselves.
MedusaLocker ransomware is the file-locking threat that encrypts personal files and delivers a ransom note on the HOW_TO_RECOVER_DATA.html file.
For repeated automatical appearance MedusaLocker ransomware takes a copy of itself and places it in the %UserProfile%\AppData\Roaming\svchostt.exe directory so that the malicious payload can be booted up within every half an hour without any hacker interaction needed.
What is interesting about the encryption process that is performed by MedusaLocker is that the ransomware virus skips files that include the .dll, .sys, .exe, .ini, .lnk, .rdp, .encrypted extensions or any other appendixes that are used for locking up data. Also, the cyber threat does not touch files and documents in the following locations:
- \Users\All Users;
- \Application Data;
- PROGRAMFILES (X86);
Malicious code gets hid in various types of files and delivered online
Payload droppers that spread trojans, malware, ransomware and other types of threats can come from safe-looking files and services, so you need to pay close attention to everything that happens on the machine. Spam email campaigns with file attachments, torrent files, malware, malicious pages – all can include malicious code that spreads in a matter of minutes on the targeted device.
You should remember that malicious macros get loaded on MS documents attached to emails with fake financial information-related subject lines. Additionally, cybercrooks pretend to be from respectable shipping companies such as FedEx DHL and provide fake shippment information. Also, direct ransomware payload gets loaded on the machine once the cracked software package is installed from pirated sites or torrent networks.
Nevertheless, ransomware infections can be distributed to multiple computer systems by using vulnerable RDPs that are protected with a weak password or hold no password at all. Hackers misuse ports such as the TCP port 3389 and force the password to get into the targeted Windows computer system remotely.
You should keep the anti-malware tool on the system, run it from time to time and keep the machine virus-free. These tools can scan email attachments before you open and download them on the PC. Restraining from malicious services like torrents can also avoid cyber threats in the future.
Remove the malicious MedusaLocker ransomware payload and related files or programs with anti-malware tools
You should remember that MedusaLocker ransomware virus alters many places on the system and can significantly interfere with the process of malware removal. For that, we recommend rebooting the machine in a Safe Mode that allows running AV tools smoothly.
By doing so, you can remove MedusaLocker ransomware with a program like Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner, or Malwarebytes automatically. These programs are designed to access multiple places of the computer where malware hides its script and other programs. Anti-malware tools can also eliminate virus damage.
Although this automatic MedusaLocker ransomware removal is not the same as the data recovery, you can restore your files safely after this. Proper security tools clean the machine and your data can be recovered by using the third-party software, backups or one of the methods below.
To remove MedusaLocker virus, follow these steps:
Remove MedusaLocker using Safe Mode with Networking
Reboot the system in Safe Mode with Networking and then remove MedusaLocker ransomware completely using your anti-malware tool
Step 1: Reboot your computer to Safe Mode with Networking
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- Select Safe Mode with Networking from the list
Windows 10 / Windows 8
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window.
Step 2: Remove MedusaLocker
Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete MedusaLocker removal.
If your ransomware is blocking Safe Mode with Networking, try further method.
Remove MedusaLocker using System Restore
System Restore may be a helpful alternative method that can recover machine in a virus-free state
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of MedusaLocker. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove MedusaLocker from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by MedusaLocker, you can use several methods to restore them:
Data Recovery Pro is the software created for file restoring purposes that works for encrypted data too
You can use Data Recovery Pro when MedusaLocker ransomware encrypts files or you accidentally delete them yourself
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by MedusaLocker ransomware;
- Restore them.
Windows Previous Versions is the method useful for encrypted data
You can rely on Windows Previous versions when you enabled System Restore for MedusaLocker ransomware removal
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer is the method for encrypted files
MedusaLocker ransomware may leave Shadow Volume Copies untouched if so, you can rely on ShadowExplorer for data recovery
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Decryption tool is not developed yet
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from MedusaLocker and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes
Do not let government spy on you
The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet.
You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.
Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.
Backup files for the later use, in case of the malware attack
Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.
It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.
When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.