Try not to stare - MedusaLocker at a glance

Post image

Mystic but also a new(-ish) threat: Medusa ransomware. Let’s take a quick peek, but don’t look too close or you may need to fetch backups soon.

A general disclaimer as always: downloading and running the samples linked below will lead to the encryption of your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/ sources might be illegal depending on where you live.

medusa.exe @ AnyRun –> sha256 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01

dix_16.exe @ HybridAnalysis –> sha256 49da42d00cc3ad6379ead2e07fd5f09bd358b144a6e78aad4bb1a8298e2bb568

Taking a look at the stringdump that stringsifter produced one of the first things that stood out was this base64 encoded image:

Image Base64 String

After decoding it we get an image of a medieval pest doctor. Fun fact: They wore these masks because they thought it would protect them from the black death. One day someone will probably start selling these for endpoint protection.

Pest Doctor

Another interesting extracted string is this PDB-Path: C:\Users\Gh0St\Desktop\MedusaLockerInfo\MedusaLockerProject\MedusaLocker\Release\MedusaLocker.pdb

Running it through Detect it easy returns that MedusaLocker was built with Visual C++ and a (in malware-terms) relatively new Linker Version.

Detect it easy

Entropy-wise it doesn’t look like this sample is packed and the sections found don’t look out of the ordinary either.

medusa.exe Entropy

After digging around in Ghidra for a bit I found FUN_00405bc0 which seems to be the main program routine of MedusaLocker. The strings shown here match the output in the debug console present in the second sample discussed below.

Ghidra Main Function

Yet another mysterious CLSID that I can’t make sense of at the moment: {8761ABBD-7F85-42EE-B272-A76179687C63}. Search results referencing it are around since October 21st and might make tracking Medusa a bit easier.

Running and CLSID

Next up the Locker will “initialize the crypto module” which uses CryptGenKey provided by WinCrypt to derive a keypair. I’ll have a closer look at the encryption routine later.

Initialization of the crypto module

It will skip files with the following suffixes:

```exe, dll, sys, ini, lnk, rdp, encrypted```

As it is very popular with Ransomware to disable the Automatic Startup Repair and delete System Restore Points plus shadow copies Medusa will do so as well. After that it will also relanch LanmanWorkstation to ensure that mapped network drives are available.

Deletion of system backups and shadow copies

Process Kill

After the “Adding to Autoload” debug message it will rename itself to svchost.exe and add it’s Registry Key to the System startup.

Pest Doctor

MedusaLocker will try to terminate the following processes by their name. The List contains Security Software as well as Services commonly used in productive environments such as SQL or Webservers.

wrapper, DefWatch, ccEvtMgr, ccSetMgr, SavRoam, sqlservr, sqlagent, sqladhlp, Culserver, RTVscan, sqlbrowser, SQLADHLP, 
QBIDPService, Intuit.QuickBooks.FCS, QBCFMonitorService, sqlwriter, msmdsrv, tomcat6, zhudongfangyu, SQLADHLP, 
vmware-usbarbitator64, vmware-converter, dbsrv12, dbeng8wxServer.exe, wxServerView, sqlservr.exe, sqlmangr.exe, 
RAgui.exe, supervise.exe, Culture.exe, RTVscan.exe, Defwatch.exe, sqlbrowser.exe, winword.exe, QBW32.exe, QBDBMgr.exe, 
qbupdate.exe, QBCFMonitorService.exe, axlbridge.exe, QBIDPService.exe, httpd.exe, fdlauncher.exe, MsDtSrvr.exe, 
tomcat6.exe, java.exe, 360se.exe, 360doctor.exe, wdswfsafe.exe, fdlauncher.exe, fdhost.exe, GDscan.exe, ZhuDongFangYu.exe

It also copies itself to %APPDATA% after renaming to executable to “svchostt.exe”.

Copy of the executable in Appdata

To check if an instance of MedusaLocker previously ran on the system it will create a Registry Key at HKEY_CURRENT_USER\Software\Medusa

Pest Doctor

Furthermore it tries to read the State of EnableLinkedConnections via RegOpenKeyExW(HKEY_LOCAL_MACHINE, L"SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" … and enables the key if necessary since Medusa tries to encrypt Shared Network Drives and removeable Media as well.

Pest Doctor

After terminating the encryption loop the Ransomware will wait for 60 seconds and start a new scan to check for new unencrypted files.

Pest Doctor

Running MedusaLocker in a VM yields us this UAC Prompt with a mysterious CLSID ({3E5FC7F9-9A51-4367-9063-A120244FBEC7}). A quick google search brings us to Wikileaks Page for the CIA Vault7 leaks and the ID seems to be corresponding to cmstplua.dll. Turns out this is an UAC bypass known and implemented since August 2017 (mentioned here).

Pest Doctor

The Ransomnote (which is dropped in every directory that contains files to encrypt) is delivered as a HTML file. In this early sample they seem to have messed up their text alignment. This was fixed in a later version (see below) and will make it easier to identify new samples as they may appear.

Original Ransomnote

Looking at the section list compared to the

Pest Doctor

This sample seems to have an enabled debug console which allows us to trace the steps of the infection.

Debug Console

Below you can see the new ransomnote. The Protonmail E-Mail address was exchanged for a one and the Victim ID blob was fitted to the textbox.


BleepingComputer Forum User ttrifonov who was hit by the ransomware as well found suspicious files on his Desktop after the Infection took place. Fortunately for us Medusa skipped the executables.

Comment on BleepingCmputer

This would be a huge discovery infection vector-wise as this looks like the attacker gained access to the machine via RDP. (Yet another proof [if we would need any] that RDP exposed to the internet isn’t a good idea)

Pest Doctor

Looks like the attacker left a few files related to Mimikatz as well…

Key Generation

As I mentioned earlier the keypair is generated via CryptGenKey. I’m still trying to map out all the actions on the key material.

Key Generation

The encryption itself is done via the CryptEncrypt function. It seems to use AES for the files and then encrypts the key with a RSA-2048 public key that is stored via a keyblob in the executable.

Encryption Routine

Encryption Routine

After the encryption routine is done the generated hKey is deleted via CryptDestroyKey.

Key Deletion

Update 23.11.2019:

Now I want to take a closer look at the files left by the attacker on the Victim’s Desktop as it was reported multiple times on the BleepingComputer Forum. Besides the Mimikatz files in the kamikadze directory there is a semi-legit tool called “Advanced Port Scanner” (AnyRun, which is basically just a garbage Zenmap alternative for Windows people) and another one called “NetworkShare.exe” (AnyRun, seems to scan for reachable network shares and tries to mount them).

Networkshare Discovery Tool

It also looks like there’s a dedicated version of MedusaLocker for Windows XP called dix_16_xp.exe. As you can see below the Debug Messages start with [LockerXP] instead of [Locker].

The XP Version of MedusaLocker

The Decryptor 🧐

The Decryptor is delivered per Machine with a 4 letter filename indicating to which victim ID it belongs.

SSDEEP Hashes of the decryptor samples

CLI of the Deryptor

Imports listed in PEBear


Medusa (SHA256)

medusa.exe --> SHA256: 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01
               SSDEEP: 12288:f+IZ+bobAyYFJPrsU4VwryxjpBx8ajiOhA8tsV1YRbRb7:2++EMyYFJPoUecOh8aWdD1UB7 

dix_16.exe --> SHA256: 49da42d00cc3ad6379ead2e07fd5f09bd358b144a6e78aad4bb1a8298e2bb568
               SSDEEP: 24576:nJC1YAOp0eRaNaQgxPubcoiukAby3LV1jqjx9/WBRQ/8PxS//lTQKJfF27:nw1OfMGxRoiuWZ1jUx9qrS3lsC27 

dix_16_xp.exe --> SHA256: 6c7eda3f5e9bbc685b0eefde2a51f0ccb06ad33805e617876a5124410cac9945
                  SSDEEP: 24576:Sx7USQ2bEdBF4XUCAdbpH7KYlvnIVGDDUWuXrO0VY/QjFdIkyoRn:MISXu5C47KMIaDWVY/QZdjpB

E-Mail Addresses


Associated Files

Advanced Port Scanner 2.4.2750.exe
PsExec64.exe (legitimate)
PsExec.exe (legitimate)
kamikadze/mimidrv (2).sys
kamikadze/mimilib (2).dll

Registry Keys

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ --> EnableLinkedConnections = 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System --> ConsentPromptBehaviorAdmin = 5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System --> EnableLUA = 1


All your data are encrypted!
What happened?
Your files are encrypted, and currently unavailable.
You can check it: all files on you computer has new expansion.
By the way, everything is possible to recover (restore), but you need to buy a unique decryptor.
Otherwise, you never cant return your data.

For purchasing a decryptor contact us by email:
If you will get no answer within 24 hours contact us by our alternate emails:

What guarantees?
Its just a business. If we do not do our work and liabilities - nobody will not cooperate with us.
To verify the possibility of the recovery of your files we can decrypted 1 file for free.
Attach 1 file to the letter (no more than 10Mb). Indicate your personal ID on the letter:

- Attempts of change files by yourself will result in a loose of data.
- Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.
- Use any third party software for restoring your data or antivirus solutions will result in a loose of data.
- Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.
- If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key.

Medusa Icon made by Freepik from

You May Also Like