Medusa Ransomware (MedusaLocker) - What it is, how it spreads, and how to recover safely

Medusa Ransomware (MedusaLocker)

What it is

MedusaLocker is ransomware that encrypts your files and demands a cryptocurrency payment to unlock them. It often arrives through email lures or exposed services, then spreads across the network. Technical details and IOCs are in our Medusa overview for defenders.

How it spreads – quick tour

  • Phishing emails with malicious attachments or links

  • Weak or exposed RDP/VPN and public-facing apps

  • Lateral movement once inside, targeting shared folders and backups

What you may notice

  • Files gain a new extension and will not open

  • A ransom note appears on the desktop and in folders

  • Backups missing, shadow copies deleted, tools crashing

If it hits – first moves

  1. Isolate affected systems and disconnect external drives.

  2. Preserve notes and logs; do not delete evidence.

  3. Rebuild from known-good images and restore offline backups.

  4. From a clean device, change passwords and enable MFA.

  5. Identify the entry point and block it (email rule, account, or service).

Prevent it

  • Patch internet-facing services fast; remove unused remote access.

  • Use EDR/anti-malware plus email, web, and DNS filtering.

  • Enforce MFA and least privilege on admin accounts and shares.

  • Keep offline, tested backups and run recovery drills.

  • Monitor for mass file changes, C2 beacons, and tool executions.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • EDR (Endpoint Detection and Response)

        What it is EDR is your always-on security team for laptops and servers. It watches what’s happening on each device, spots attacks in progress, and helps you respond fast - quarantine, investigate, and clean up. For details on capabilities and use ...

      • BabLock Ransomware

        What it is (in plain words): BabLock is ransomware that breaks into Windows and Linux systems, scrambles (encrypts) your files, and demands payment to unlock them. It typically goes after small and mid-size businesses where one infected PC can ...

      • Cerber Ransomware

        What it is Cerber is ransomware run like a business (“RaaS”). The operators rent the malware to affiliates, who break in, encrypt files, and demand payment—then share the profits with Cerber’s creators. How it spreads Phishing emails with ...

      • Clop Ransomware

        What it is Clop is big-game ransomware: attackers break into a network, encrypt files, and demand payment to unlock them—often with data theft first to pressure victims (double extortion). It mostly targets Windows environments and larger ...

      • CryptoLocker Ransomware

        What it is CryptoLocker is ransomware that breaks into a Windows PC, hunts for documents (on the computer and connected drives), encrypts them with strong keys, and then demands a payment to unlock your files. You’ll see a ransom note saying your ...