Severity scale:  

Remove MedusaLocker ransomware (Virus Removal Instructions) - updated Jan 2021

removal by Linas Kiguolis - - | Type: Ransomware

MedusaLocker ransomware is the malware that encodes valuable personal files and blackmails victims into paying the ransom

MedusaLocker ransomwareMedusaLocker ransomware is the cryptovirus that demands payment for the recovery of data marked using .encrypted extension.

MedusaLocker ransomware is the cryptovirus that emerged at the end of September 2019 and is designed to encrypt data and mark each file with a generic .encrypted file extension. However, this malware form might also user other appendixes such as .bomber, .locker16, .newlock, .boroff, .breakingbad, .nlocker, .skynet. Once MedusaLocker ransomware locks up files by using the combination of RSA 2048 and AES algorithms, the cyber threat waits for 1 minute and then repeats the encryption process in case some data has been left untouched. Once this primary process is done, a money-demanding message appears on the screen via the HOW_TO_RECOVER_DATA.html or Readme.html file. The browser window shows a brief message about a ransomware attack and informs that people should buy a decryptor to get their files restored. Unfortunately, such offers are not serving in the favor of victims because since criminals are focused on getting money, they don't care about your belongings or lost files and money. In most cases, the decryption tool is not sent for the person that paid the ransom, so files remain corrupted, and money is lost.[1] Even the decryption test is offered to fake the feeling of trust between criminals and victims.

Questions about MedusaLocker ransomware

We should also note that contacting MedusaLocker ransomware virus developers is a bad idea. The window with information, test decryption offer, and alleged guarantees criminals also include contact emails, Sometimes the email addresses might also be and Contacting criminals can lead to permanent data and money loss, so you should restrain from that option and get rid of the virus instead.

Name MedusaLocker ransomware
Type Cryptovirus
release date Security experts have discovered this malware at the end of September this year
Ransom note Once data is locked, the cybercriminals provide information on the encryption process and talk about ransom demands via HOW_TO_RECOVER_DATA.html
Symptoms After the infiltration, the malware makes files useless by encrypting them. The ransom demand appears immediately after that, and criminals ask for a payment that should help them to get files back. Additional processes and installed files, disabled programs affect the performance of an infected machine
Contact emails,
File marker .encrypted is the file extension that shows up at the end of every file encrypted by the intruder. Photos, documents, audio or video files become unopenable and useless after such encoding. Some variants can come with .skynet, .bomber, .locker16, .newlock, .boroff, .breakingbad, .nlocker apendixes
Distribution Infected files delivered on the system via spam email attachments or torrent files packaged with software or video game cracks.[2] Also, malicious sites with malware code droppers can lead to such infiltrations and trojans, worms, threats designed to spread crypto-malware around. Nevertheless, hacked RDPs that include vulnerable security do great for malware infiltration
related files svchostt.exe
additional capabilities The malware fills the Windows Registry with entries and drops files on the computer system that allow the ransomware to boot up automatically, avoid antimalware detection, etc. The virus also deletes the backups that were created with Windows Backup services, eliminates Shadow Volume Copies, etc.
Elimination Anti-malware tools can help to remove MedusaLocker ransomware. ReimageIntego should also give the advantage in such a process and virus damage elimination

Various antivirus engines have scanned the svchostt.exe file that is brought by MedusaLocker ransomware into the system and 52 out of 70 AV products found this component malicious. These are some of the generated detection names:[3]

  • Win32:Malware-gen (Avast and AVG);
  • Trojan.FileCoder (A) (Emsisoft);
  • Trojan.GenericKD.41882000 (BitDefender);
  • Ransom.Medusa (Malwarebytes);
  • Trojan.DownLoader30.26418 (DrWeb);
  • Ransom.Win32.MEDUSA.THJAFAI (Trend Micro).

MedusaLocker ransomware is the virus that operates in the background and until your files get encrypted and marked using a unique file extension, you cannot notice the infiltration and virus attack. Unfortunately, encryption is the first thing ransomware starts with.

MedusaLocker cryptovirusMedusaLocker ransomware is the virus that focuses on getting payments from victims, so it encodes documents, images, and even archives.

In most cases, your files get immediately affected once the threat checks the system for other malware and indications that should note not to encrypt data further. Other file-locking based threats avoid encrypting files in particular devices that are located in countries with particular laws.

You should note that MedusaLocker ransomware delivers the ransom note after the locking, but this is not the end of a ransomware attack. Once the message is delivered in the HOW_TO_RECOVER_DATA.html browser window other processes running the background of the machine. The note looks like this:

All your data are encrypted!
What happened?
Your files are encrypted, and currently unavailable.
You can check it: all files on you computer has new expansion.
By the way, everything is possible to recover (restore), but you need to buy a unique decryptor.
Otherwise, you never cant return your data.

For purchasing a decryptor contact us by email:
If you will get no answer within 24 hours contact us by our alternate emails:

What guarantees?
Its just a business. If we do not do our work and liabilities – nobody will not cooperate with us.
To verify the possibility of the recovery of your files we can decrypted 1 file for free.
Attach 1 file to the letter (no more than 10Mb). Indicate your personal ID on the letter:

– Attempts of change files by yourself will result in a loose of data.
– Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.
– Use any third party software for restoring your data or antivirus solutions will result in a loose of data.
– Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.
– If you will not cooperate with our service – for us, its does not matter. But you will lose your time and data, cause just we have the private key.

While you decide to pay the ransom and recover your files or remove MedusaLocker ransomware, malware places files in system folders, disables functions, security tools, installs programs and even additional malware to keep various processes affecting the already-infected device.

MedusaLocker ransomware can interfere with anti-malware tools, the performance of your security services, applications and delete particular files needed for the removal or data recovery. For example, when Shadow Volume Copies get deleted, you have fewer chances to recover encoded files by yourself. The first thing you can try to do is find a decryption tool for this threat. There are many researchers and experts[4] that focus on analysis and decryption tool development. So you should pack all the files of MedusaLocker ransomware, related threats and other applications on an external device. 

MedusaLocker malwareMedusaLocker - a dangerous malware form that drops various entries and files on the infected computer system to automatically boot itself, perform encryption, and avoid antivirus detection

Then you can go further with MedusaLocker ransomware removal and store malware files for the later use when the software is released for the consumers. Official decryption tools are the ones that can help with your files besides all the manual methods and third-party software. 

As for the virus elimination, you need an anti-malware tool that could terminate MedusaLocker ransomware, associated programs, fix the damage and delete traces completely off of the PC. Antivirus like ReimageIntego cannot decrypt files or recover them tough. However, such software might help you to get rid of damage from your Windows machine. 

A deeper look into MedusaLocker ransomware operation module

MedusaLocker ransomware is a much more complicated malware than it might seem from the first view. According to a deeper investigation, this file-encrypting virus carries a complex module and is capable of launching various commands that make the ransomware even more successful.

Once MedusaLocker virus enters the system, it drops the EnableLinkedConnections component under this registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System and sets it as the top one. This allows hackers launching mapped devices even in the UAC mode. To ensure that these devices are available and that Windows networking is operating perfectly, the malware reboots the service named LanmanWorkstation. MedusaLocker also places its own entry named HKCU\SOFTWARE\Medusa in the Windows Registry.[5]

Afterward, the dangerous threat will be in search of security-related files that deleted allow the ransomware to prevent antimalware detection and successfully perform data encryption. Continuously, MedusaLocker ransomware eliminates Shadow Volume Copies of the locked data, deletes all file backups that were performed using Windows backup, and deactivates the Windows automatical startup repair to prevent users from recovering data by themselves.

MedusaLocker ransomware virusMedusaLocker ransomware is the file-locking threat that encrypts personal files and delivers a ransom note on the HOW_TO_RECOVER_DATA.html file.

For repeated automatical appearance MedusaLocker ransomware takes a copy of itself and places it in the  %UserProfile%\AppData\Roaming\svchostt.exe directory so that the malicious payload can be booted up within every half an hour without any hacker interaction needed.

What is interesting about the encryption process that is performed by MedusaLocker is that the ransomware virus skips files that include the .dll, .sys, .exe, .ini, .lnk, .rdp, .encrypted extensions or any other appendixes that are used for locking up data. Also, the cyber threat does not touch files and documents in the following locations:

  • \Windows;
  • \Users\All Users;
  • \Application Data;
  • \nvidia;
  • \intel;
  • \AppData;
  • ProgamData;

Malicious code gets hid in various types of files and delivered online

Payload droppers that spread trojans, malware, ransomware and other types of threats can come from safe-looking files and services, so you need to pay close attention to everything that happens on the machine. Spam email campaigns with file attachments, torrent files, malware, malicious pages – all can include malicious code that spreads in a matter of minutes on the targeted device.

You should remember that malicious macros get loaded on MS documents attached to emails with fake financial information-related subject lines. Additionally, cybercrooks pretend to be from respectable shipping companies such as FedEx DHL and provide fake shippment information. Also, direct ransomware payload gets loaded on the machine once the cracked software package is installed from pirated sites or torrent networks. 

Nevertheless, ransomware infections can be distributed to multiple computer systems by using vulnerable RDPs[6] that are protected with a weak password or hold no password at all. Hackers misuse ports such as the TCP port 3389 and force the password to get into the targeted Windows computer system remotely.

You should keep the anti-malware tool on the system, run it from time to time and keep the machine virus-free. These tools can scan email attachments before you open and download them on the PC. Restraining from malicious services like torrents can also avoid cyber threats in the future.

Remove the malicious MedusaLocker ransomware payload and related files or programs with anti-malware tools

You should remember that MedusaLocker ransomware virus alters many places on the system and can significantly interfere with the process of malware removal. For that, we recommend rebooting the machine in a Safe Mode that allows running AV tools smoothly.

By doing so, you can remove MedusaLocker ransomware with a program like ReimageIntego, SpyHunter 5Combo Cleaner, or Malwarebytes automatically. These programs are designed to access multiple places of the computer where malware hides its script and other programs. Anti-malware tools can also eliminate virus damage.

Although this automatic MedusaLocker ransomware removal is not the same as the data recovery, you can restore your files safely after this. Proper security tools clean the machine and your data can be recovered by using the third-party software, backups or one of the methods below.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove MedusaLocker virus, follow these steps:

Remove MedusaLocker using Safe Mode with Networking

Reboot the system in Safe Mode with Networking and then remove MedusaLocker ransomware completely using your anti-malware tool

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove MedusaLocker

    Log in to your infected account and start the browser. Download ReimageIntego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete MedusaLocker removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove MedusaLocker using System Restore

System Restore may be a helpful alternative method that can recover machine in a virus-free state

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of MedusaLocker. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with ReimageIntego and make sure that MedusaLocker removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove MedusaLocker from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by MedusaLocker, you can use several methods to restore them:

Data Recovery Pro is the software created for file restoring purposes that works for encrypted data too

You can use Data Recovery Pro when MedusaLocker ransomware encrypts files or you accidentally delete them yourself

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by MedusaLocker ransomware;
  • Restore them.

Windows Previous Versions is the method useful for encrypted data

You can rely on Windows Previous versions when you enabled System Restore for MedusaLocker ransomware removal

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer is the method for encrypted files

MedusaLocker ransomware may leave Shadow Volume Copies untouched if so, you can rely on ShadowExplorer for data recovery

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Decryption tool is not developed yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from MedusaLocker and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.


Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions


Your opinion regarding MedusaLocker ransomware