Meduza ransomware (Removal Instructions) - Recovery Instructions Included

Meduza virus Removal Guide

What is Meduza ransomware?

Meduza ransomware – a cryptovirus which is urging victims to pay 0.08 bitcoin for acquiring the decryption key needed to unlock encrypted data

Meduza virusMeduza ransomware - a file-encrypting virus which blocks any access to user's data by using .[].meduza extension.

Meduza ransomware is a cryptovirus which typically denies access to important data and requires the specific amount of bitcoin to recover the connection to it. This ransomware-type virus has the same operating principle as hundreds of other ransomware, so it encrypts files and adds .[].meduza or similar extension to mark data which can't be opened or used. Additionally, it drops the copy of a ransom note called as How-To-Recover-Your-Files.html which announces that user's files are infected and requires sending a special payment to decrypt this data. Users are urged to contact the cybercriminals via However, the email address, just like the amount of the ransom, might vary.

Name Meduza
Type Ransomware
Sub-type Cryptovirus
Danger level High. This virus affects files by encrypting them, it can also disable the access to various system's components and deactivate security tools
Extension .[].meduza
Ransom note How-To-Recover-Your-Files.html
Usually spreads with the help of Spam emails
The main purpose Gaining revenue by forcing the victim to buy a decryption key
Elimination process Use FortectIntego to eliminate the cyber threat from your computer system and avoid further damage

To encrypt target files, the virus is using an AES algorithm[1]. Due to its unique functionality, it is almost impossible to decrypt damaged data, even if you are a true tech expert. Typically, the decryption key is stored on a remote server and can only be reached by its owners.

No matter how hard it seems to lose your images, business documents, and similar data, we do not recommend paying the ransom as it usually turns out to be a trick to swindle the money from naive victims. Beware that cybercriminals often leave users scammed as soon as they receive their money.[2] As an alternative, you should remove Meduza ransomware from your computer system and then use one of the data recovery methods provided at the end of this post. For virus removal, we advise using FortectIntego.

The ransom note of the virus:

All your files have been encrypted!

How to recover your files?
All your files have been encrypted by RSA and AES due to a security problem on your PC. You have to pay for decryption of Bitcoins.

If you want to restore them. You must send 0.08 bitcoin to my bitcoins address [Link]
After payment, we will send you the decryption tool that will decrypt all your files.
Please write us to the email [email address].
Your decrypt code is [ransom numbers]
Please write the decrypt code in the title of your email message. And don’t forgot to write the transfer accounts info.
1.Do not rename encrypted files.
2.Do not try to decrypt your data using third party software.It may cause permanent data loss.

It is unknown which hackers' group is hiding behind Meduza ransomware. However, the ransom note and other facts related to this ransomware have been reminding us WannaCry, Petya, and many other ransomware viruses. If you happen to run into this malware, note that time is very important while dealing with it. The more you wait, the more files can be encrypted. Besides, according to the latest tendencies, your computer system might be forced to start mining cryptocurrency.[3]

To prevent the money loss, do not pay the money, especially when the virus is still on your computer. To prevent the loss of personal data, you should initiate Meduza ransomware removal as soon as you find a suspicious extension added to your data. For that, use a professional anti-malware tool, such as FortectIntego. After the elimination is done, you can try using trustworthy decryption tools in order to recover infected data. At the moment, there is no official decrypter.

Meduza ransomwareMeduza - a cryptovirus which demands a ransom if the victim wants to get a file decryptor and unlock encrypted files. Typically, it is asking 0.08 BTC.

Distribution of the ransomware spreading and avoiding techniques

According to IT professionals[4], the most common way for this ransomware-type virus to enter the system is related to spam. These kinds of messages come with a harmful attachment which is already included in the email message as an important document, such as invoice, an image, etc. However, once opened, the virus is activated and starts its damaging activity.

To avoid serious ransomware infections, follow these guidelines:

  • If you receive any suspicious email, you need to double check it before opening. If you have any doubts, you should better eliminate the email for your safeness. Do not get tricked by shady and dubious senders.
  • Try to avoid visiting suspicious-looking sites and links. Once entered, they might try to initiate infiltration of a ransomware-type virus behind your back.
  • Consider installing a professional security tool. An antivirus will protect your system, scan it, and alert if some harmful components are trying to infect your PC.

Eliminate Meduza ransomware with the special guide

To remove Meduza ransomware virus from the system and prevent its leftover files and other components, you need professional help. We advise using an anti-malware software, such as FortectIntego, SpyHunter 5Combo Cleaner, or Malwarebytes. The process might take a while due to the infected security system. However, if you follow all elimination steps given down below, you should get a chance to disable your malware and let the anti-malware program do its job.

After the elimination process is finished, we recommend taking care of system backups to prevent the negative effect of ransomware in the future. You can easily save your data on external hard drives, USB keys, and similar storage solutions. However, before you proceeded with this task, take care of the Meduza removal.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Meduza virus. Follow these steps

Manual removal using Safe Mode

Access the Safe Mode with Networking in order to deactivate the virus:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Meduza using System Restore

Use the System Restore function to delete Meduza ransomware from the system:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Meduza. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Meduza removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Meduza from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

As you have already noticed, malware can lock the most important information. To recover files, here are some data recovery methods that should be helpful.

If your files are encrypted by Meduza, you can use several methods to restore them:

Use Data Recovery Pro to get important files

This program might help you recover encrypted data. For that, use the following steps:

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Meduza ransomware;
  • Restore them.

Use Windows Previous Version feature to recover valuable information

You can also use Windows Previous Versions feature to recover your encrypted data. However, notice that this method will work only if you had the System Restore function enabled before the cyber attack.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Shadow Explorer might help you recover some of the encrypted files

Check if the virus did not manage to eliminate the Shadow Volume Copies of locked files. If not – you have a big chance of decrypting them by using this program.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No original Meduza ransomware decryptor has been discovered recently.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Meduza and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Lucia Danes
Lucia Danes - Virus researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions