MedusaLocker is a set of ransomware infections. It includes parasites known as 1btc, Deadfiles, Himynameisransom, Readtheinstructions, and others. MedusaLocker emerged in late 2019 and has been attacking businesses and individual users all over the globe.
It’s important to remove the MedusaLocker infection as quickly as possible from the infected computers. Unfortunately, there is no free decryptor that could recover the broken files.
Medusalocker quicklinks
- How MedusaLocker works
- MedusaLocker disables security programs
- It encrypts and renames files
- There is no easy way to decrypt the files
- How to delete MedusaLocker
- Automatic Malware removal tools
- How to recover MedusaLocker encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover MedusaLocker encrypted files
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
About MedusaLocker:
| Threat type | Ransomware,
trojan. |
|---|---|
| How MedusaLocker infects computers | It disables security programs,
deletes backups, encrypts files on local and network storage, creates ransom notes. |
| How to recover the lost files | Restore the files from backups once the malware is gone,
try data recovery solutions. |
| How to delete MedusaLocker | Delete malicious files and programs with the help of antivirus tools (such as Spyhunter and others) or reformat your drives,
reset your login credentials and protect your accounts with multi-factor authentication. |
How MedusaLocker works
MedusaLocker disables security programs
MedusaLocker was discovered in September 2019.
This ransomware encrypts files, then asks for money in exchange for fixing them. The ransom can go to more than 1 Bitcoin, which is, at the time of writing, more than 36,000 dollars, but can go as high as 60,000 or as low as 10,000. This can be very harmful to small businesses.
There are many ways in which ransomware may infect a computer, such as malicious spam emails and hacked remote desktop accounts.
Once MedusaLocker is on a computer, it quits various security programs. It shuts down editing programs so that it is free to encrypt documents, databases, and other files. And it deletes backups and shadow copies.
Then, MedusaLocker accesses all the drives on the network and starts encrypting files: documents, pictures, databases, code, etc. Like most modern ransomware, MedusaLocker uses hybrid encryption, which combines the speed of symmetric cryptography with the security of public-key cryptography. Needless to say, MedusaLocker works quickly.
Here’s a detailed analysis of a MedusaLocker sample by SCILabs.
As far as a know, MedusaLocker doesn’t steal files to publish them. But there was another infection, Ako, that was thought to be related to MedusaLocker that did steal files.
It encrypts and renames files
When MedusaLocker encrypts files, it also changes their names by appending a new extension, like so:
document.docx.encrypted
Here are some of the extensions that MedusaLocker uses:
1btc, Abstergo, Alienlock, Bomber, Boroff, Datalock, Deadfiles, Decrypme, Divsouth, Eg, Encrypted, Himynameisransom, Hknet, Locker16, Lockfilesco, Lockfileskr, Networklock, Networkmaze, Newlock, Nlocker, Pp, Readinstructions, Readtheinstructions, Recovery, Skynet, Support.
The list of extensions isn’t complete. Also, these extensions aren’t exclusive to Medusa ransomware and may be used by other file lockers. For example, Encrypted is used by at least a dozen different ransomware viruses.
Finally, to communicate with the victim, MedusaLocker creates a ransom note. These notes have names like INSTRUCTIONS.html and Recovery_Instructions.html. They include the email addresses of the extortionists and urge the victim to contact them.
Here’s what the ransom note says:
What happened?
Your files are encrypted, and currently unavailable.
You can check it: all files on you computer has new expansion.
By the way, everything is possible to recover (restore), but you need to buy a unique decryptor.
Otherwise, you never cant return your data.[…]
What guarantees?
Its just a business. If we do not do our work and liabilities – nobody will not cooperate with us.
To verify the possibility of the recovery of your files we can decrypted 1 file for free.
Attach 1 file to the letter (no more than 10Mb). Indicate your personal ID on the letter:
There is no easy way to decrypt the files
The MedusaLocker extortionists say that decryption codes are unique to each victim. Unfortunately, they are right. MedusaLocker might even use different keys on different computers on the same network.
There’s no way to decrypt the files encrypted by MedusaLocker for free. But even if you pay the ransom, be ready to be ignored, stalled, and face various technical difficulties with the decryption. Based on some victims’ experiences, the decryption tools provided by the extortionists aren’t reliable.
So, if you don’t have backups or if your backups were encrypted by MedusaLocker, can you get your files back?
You could look into file recovery programs (like EaseUS – just be careful to cancel the subscription) or data recovery labs. There are a lot of problems with this solution, though. It won’t work on SSDs. At best, you’ll probably only recover some files. The recovery process can take a long time.
How to delete MedusaLocker
For as long as MedusaLocker is not removed from the infected computers, it runs periodically and encrypts all newly created files. To delete MedusaLocker, you can use antivirus programs, such as Spyhunter. You can also just reformat your drives and start over.
Watch out for spyware. If your antivirus scan found malware besides MedusaLocker, it would be wise to reset your login credentials once all the threats are deleted.
Automatic Malware removal tools
(Win)
Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,
(Mac)
Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,
How to recover MedusaLocker encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before MedusaLocker has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of MedusaLocker
After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to MedusaLocker. You can check other tools here.Step 3. Restore MedusaLocker affected files using Shadow Volume Copies
If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually MedusaLocker tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover MedusaLocker encrypted files
There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.
