Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomwareUsed by 1 actorExploits 2 CVEs

MedusaLocker

MedusaLocker is a Windows ransomware family, also referred to in the provided content as Medusa ransomware, though the content also explicitly notes that the newer Medusa/Spearwing operation is unrelated to the older MedusaLocker variant. MedusaLocker encrypts files using WinCrypt APIs, appearing to use AES for file encryption with the AES key protected by an embedded RSA-2048 public key. It skips certain extensions such as exe, dll, sys, ini, lnk, rdp, and already encrypted files, deletes restore points and shadow copies, disables Automatic Startup Repair, and repeatedly rescans systems after encryption to catch newly created unencrypted files. It attempts to access mapped network drives, shared network drives, and removable media, restarts the LanmanWorkstation service to ensure mapped drives are available, and reads or enables EnableLinkedConnections to reach shared network drives. Persistence behavior described in the content includes renaming itself to svchost.exe, copying itself to %APPDATA% as svchostt.exe, and creating startup registry entries; it also creates HKCU\Software\Medusa to track prior execution.

The malware attempts to terminate numerous security and business application processes, including sqlservr, sqlbrowser, tomcat6, httpd, java, winword, RTVscan, DefWatch, and QuickBooks-related processes. The content also associates MedusaLocker intrusions with broader defense-evasion tradecraft, including use of process-killing tools such as 0th3r_av5.exe and AV-killer payloads packed with HeartCrypt. One Kaspersky-described intrusion in Brazil involved attackers using valid RDP administrative credentials, Mimikatz, pass-the-hash via Invoke-WMIExec.ps1 and Invoke-SMBExec.ps1, and a BYOVD AV-killer named All.exe that loaded a renamed vulnerable TechPowerUp driver (ThrottleBlood.sys, originally ThrottleStop.sys; CVE-2025-7771) to terminate endpoint protections before deploying a MedusaLocker variant. The content also describes another case where a suspected zero-day RCE in SimpleHelp led to execution of an EDR-killer and then a Medusa ransomware payload.

The content links MedusaLocker activity to opportunistic access methods such as exposed or brute-forced RDP and notes attacker tooling found in related incidents including Mimikatz, Advanced Port Scanner, NetworkShare.exe, PsExec.exe, PsExec64.exe, and batch files. A known UAC bypass involving cmstplua.dll and CLSID {3E5FC7F9-9A51-4367-9063-A120244FBEC7} is described, along with another observed CLSID {8761ABBD-7F85-42EE-B272-A76179687C63}. The ransom note is described as HOW_TO_OPEN_FILES.html, with contact addresses including mrromber@cock.li and mrromber@tutanota.com; additional associated addresses mentioned in the content include ctorsenoria@tutanota.com, folieloi@protonmail.com, sambolero@tutanoa.com, rightcheck@cock.li, fartcool@protonmail.ch, bestcool@keemail.me, tanoss@protonmail.com, and sypress@protonmail.com. Sample and build artifacts directly mentioned include medusa.exe (SHA-256 3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01), dix_16.exe (SHA-256 49da42d00cc3ad6379ead2e07fd5f09bd358b144a6e78aad4bb1a8298e2bb568), dix_16_xp.exe (SHA-256 6c7eda3f5e9bbc685b0eefde2a51f0ccb06ad33805e617876a5124410cac9945), and an embedded PDB path: C:\Users\Gh0St\Desktop\MedusaLockerInfo\MedusaLockerProject\MedusaLocker\Release\MedusaLocker.pdb.

The content further notes that MedusaLocker samples and related tooling have been observed in HeartCrypt-packed campaigns and that over 350 new ransomware strains discovered in 2025 were reportedly based largely on MedusaLocker, Chaos, and Makop families, indicating substantial code reuse or derivative activity in the ransomware ecosystem.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES
CVE-2025-7771Arbitrary Physical Memory Read/Write in TechPowerUp ThrottleStop.sysExploited in the wild

The vulnerability in ThrottleStop.sys has been assigned CVE-2025-7771. According to our information, the vendor is currently preparing a patch.

via securelistsecurelist.com
CVE-2025-55182React2ShellExploited in the wild

"A critical remote code execution (RCE) vulnerability, identified as CVE-2025-55182 and dubbed React2Shell, exists within the React Server Components (RSC) architecture, allowing unauthenticated attackers to execute arbitrary code..."

via f5 communitycommunity.f5.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
ANTHROPOID SPIDER

"...web server exploitation campaigns in 2020 that primarily delivered MedusaLocker ransomware."

via crowdstrike bloggo.crowdstrike.com
MITRE ATT&CK

Techniques & procedures

22 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1190Exploit Public-Facing ApplicationEvidence1

The process trace indicates that the initial infection could be related to the zero-day RCE exploits... which affected ConnectWise and BeyondTrust products.

T1566.001Spearphishing AttachmentEvidence1

After gaining access, typically through phishing, malicious attachments, or compromised network entry points, it conducts network-wide file encryption...

Execution

3 techniques
T1053.005Scheduled TaskEvidence1

“MEDUSALOCKER… Persistence is established using a scheduled task.” and “Scheduled Task/Job (T1053) · Scheduled Task (T1053.005)”

T1059Command and Scripting InterpreterEvidence1

“When executed, a Skill’s code runs with access to the local environment, including filesystem and network, effectively granting it the privileges of a local process.”

T1204User ExecutionEvidence1

“Users must grant permission for a Skill to be run as well as approve any code Claude generates… users may unknowingly grant permission for a Skill to perform dangerous actions…”

Persistence

3 techniques
T1053.005Scheduled TaskEvidence1

“MEDUSALOCKER… Persistence is established using a scheduled task.” and “Scheduled Task/Job (T1053) · Scheduled Task (T1053.005)”

T1112Modify RegistryEvidence1

To check if an instance of MedusaLocker previously ran on the system it will create a Registry Key at HKEY_CURRENT_USER\Software\Medusa ... and enables the key if necessary since Medusa tries to encrypt Shared Network Drives and removeable Media as well.

T1547.001Registry Run Keys / Startup FolderEvidence1

After the "Adding to Autoload" debug message it will rename itself to svchost.exe and add it's Registry Key to the System startup.

Privilege Escalation

3 techniques
T1053.005Scheduled TaskEvidence1

“MEDUSALOCKER… Persistence is established using a scheduled task.” and “Scheduled Task/Job (T1053) · Scheduled Task (T1053.005)”

T1547.001Registry Run Keys / Startup FolderEvidence1

After the "Adding to Autoload" debug message it will rename itself to svchost.exe and add it's Registry Key to the System startup.

T1548.002Bypass User Account ControlEvidence1

Running MedusaLocker in a VM yields us this UAC Prompt with a mysterious CLSID ({3E5FC7F9-9A51-4367-9063-A120244FBEC7}) ... corresponding to cmstplua.dll . Turns out this is an UAC bypass known and implemented since August 2017.

Stealth

4 techniques
T1027Obfuscated Files or InformationEvidence1

“AVADDON, ThunderX and RANZY have different implementations to obfuscate both the RSA key and the strings.”

T1036MasqueradingEvidence1

After the "Adding to Autoload" debug message it will rename itself to svchost.exe ... It also copies itself to %APPDATA% after renaming to executable to "svchostt.exe".

T1070.004File DeletionEvidence1

“Backup Deletion… delete the Windows Shadow Copies invoking wbadmin, bcedit.exe and vssadmin.exe and to empty the recycle bin.” and “Indicator Removal on Host (T1070) · File Deletion (T1070.004)”

T1497Virtualization/Sandbox EvasionEvidence1

To check if an instance of MedusaLocker previously ran on the system it will create a Registry Key at HKEY_CURRENT_USER\Software\Medusa

Defense Impairment

1 technique
T1112Modify RegistryEvidence1

To check if an instance of MedusaLocker previously ran on the system it will create a Registry Key at HKEY_CURRENT_USER\Software\Medusa ... and enables the key if necessary since Medusa tries to encrypt Shared Network Drives and removeable Media as well.

Credential Access

1 technique
T1003OS Credential DumpingEvidence1

Looks like the attacker left a few files related to Mimikatz as well... Besides the Mimikatz files in the kamikadze directory...

Discovery

3 techniques
T1057Process DiscoveryEvidence1

MedusaLocker will try to terminate the following processes by their name. The List contains Security Software as well as Services commonly used in productive environments such as SQL or Webservers.

T1135Network Share DiscoveryEvidence1

NetworkShare.exe ... seems to scan for reachable network shares and tries to mount them ... Medusa tries to encrypt Shared Network Drives and removeable Media as well.

T1497Virtualization/Sandbox EvasionEvidence1

To check if an instance of MedusaLocker previously ran on the system it will create a Registry Key at HKEY_CURRENT_USER\Software\Medusa

Lateral Movement

1 technique
T1021.001Remote Desktop ProtocolEvidence1

This would be a huge discovery infection vector-wise as this looks like the attacker gained access to the machine via RDP.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence2

Various artifacts, including the AV killer, were uploaded to the C:\Users\Administrator\Music folder on the mail server. These artifacts were later uploaded to other machines alongside the ransomware (haz8.exe).

Impact

3 techniques
T1486Data Encrypted for ImpactEvidence6

Since early 2023, AvNeutralizer has been used in numerous intrusions, including with the subsequent deployment of well-known ransomware strains such as AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit.

T1489Service StopEvidence2

MedusaLocker will try to terminate the following processes by their name. The List contains Security Software as well as Services commonly used in productive environments such as SQL or Webservers.

T1490Inhibit System RecoveryEvidence1

As it is very popular with Ransomware to disable the Automatic Startup Repair and delete System Restore Points plus shadow copies Medusa will do so as well.

Other

2 techniques
T1562.001Disable or Modify ToolsEvidence2

The attacker achieved their objective by disabling the AV in place on various endpoints and servers across the network... The AV killer checks all running processes against the hardcoded list. If any match, it kills them.

T1562Impair DefensesEvidence1

We have seen one payload of particular concern — an AV killer tool among the payloads. In multiple cases, this tool was detected during an ongoing ransomware attack.

INDICATORS OF COMPROMISE

IOCs tracked for this family

14 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
2 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
12 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
hash.sha1●●●●●●●●●●●●View more in app1 month ago
hash.sha256●●●●●●●●●●●●View more in app1 month ago
domain●●●●●●●●●●●●View more in app2 months ago
hash.sha256●●●●●●●●●●●●View more in app4 months ago
domain●●●●●●●●●●●●View more in app6 months ago
hash.sha1●●●●●●●●●●●●View more in app11 months ago
ACTIVITY FEED

Recent activity

30 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

30 SOURCESView more in app
hackreadNews
Apr 8, 2026
Storm-1175 Deploys Medusa Ransomware Within 24 Hours of Flaw Disclosure

A distinct ransomware family/group referenced for comparison, described as relying more on opportunistic access methods such as RDP brute force.

Read more
hackreadNews
Apr 1, 2026
Ransomware Groups Exploit Legit IT Tools to Bypass Antivirus

Ransomware family associated with use of the process-killing tool 0th3r_av5.exe to shut down antivirus monitoring.

Read more
cyber security newsNews
Mar 31, 2026
Hackers Weaponize Legitimate Windows Tools to Disable Antivirus Before Ransomware Attacks - Cyber Security News

Ransomware family mentioned in connection with campaigns that weaponize legitimate Windows utilities to dismantle defenses before payload execution.

Read more
darktrace blogNews
Jan 13, 2026
Why Runtime Is Where Cloud Security Really Counts

"Medusa ransomware should not be confused with other similarly named malware, such as ... MedusaLocker ransomware."

Read more
+24 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching14

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping22

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.