MedusaLocker Ransomware Analysis, Simulation, and Mitigation

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries


On June 30, 2022, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on MedusaLocker ransomware [1]. MedusaLocker operates a Ransomware-as-a-Service and has been known to target multiple organizations, especially healthcare and pharmaceutical companies. Although Picus Labs added attack simulations for MedusaLocker ransomware to Picus Threat Library back in October 2021, the recent MedusaLocker ransomware attacks led us to write this blog post.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

MedusaLocker Ransomware

MedusaLocker ransomware is typical ransomware that uses the single extortion model, meaning that the ransomware encrypts its victim's data and demands ransom for the decryption key. Although MedusaLocker threatens its victims to release stolen sensitive data, there is no evidence of data exfiltration.

MedusaLocker also uses the Ransomware-as-a-Service (RaaS) business model. The developer of the MedusaLocker shares the ransomware with other threat actors in return for a share of the ransom payment.

Threat actors that use MedusaLocker ransomware often use vulnerable RDP services to gain initial access to their victim's network. After initial access, the ransomware follows the typical ransomware attack lifecycle and blocks victims from accessing their data.

Figure 1: Ransom note after MedusaLocker infection [2]

TTPs Used by MedusaLocker Ransomware

MedusaLocker ransomware uses the following tactics, techniques, and procedures (TTPs):

Tactic: Initial Access

  • MITRE ATT&CK T1078 Valid Accounts
    Threat actors use brute-force password guessing for RDP services. The revealed password allows the attacker to gain initial access to the victim's network.
  • MITRE ATT&CK T1566 Phishing
    In some cases, the ransomware is delivered via a phishing email as an attachment.
  • MITRE ATT&CK T1133 External Remote Services
    Threat actors exploit vulnerable RDP services in the victim network to gain initial access.

Tactic: Execution

  • MITRE ATT&CK T1059.001 Command and Scripting Interpreter: PowerShell
    MedusaLocker ransomware typically consists of a batch file named "qzy.bat" and a PowerShell script saved as a text file named "qzy.txt". When the batch file is executed, it calls the text file and runs the PowerShell script in the text file.

sc create purebackup binpath= "%COMSPEC% /C start /b C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe -c $km = [IO.File]::ReadAllText('C:\Windows\SysWOW64\qzy.txt'); IEX $km" start= auto DisplayName= "purebackup"

  • MITRE ATT&CK T1047 Windows Management Instrumentation
    MedusaLocker uses Windows Management Instrumentation command-line utility (wmic) to delete volume shadow copies to prevent victims from recovering their encrypted data.

wmic.exe shadowcopy delete /interactive

Tactic: Persistence

  • MITRE ATT&CK T1547 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
    MedusaLocker establishes persistence and executes the ransomware at system startup by adding the following registry entry.



MSFEEditor = "{Malware File Path}\{Malware File Name.exe}"

  • MITRE ATT&CK T1168 Local Job Scheduling
    MedusaLocker creates a scheduled task called "svhost" that runs the ransomware automatically every 15 minutes.

Tactic: Privilege Escalation

  • MITRE ATT&CK T1548.002 Abuse Elevation Control Mechanism Bypass UAC
    MedusaLocker ransomware uses the built-in Windows tool called Microsoft Connection Manager Profile Installer (cmstp.exe) to bypass User Account Control (UAC) and runs arbitrary commands with elevated privileges.
  • MITRE ATT&CK T1078 Valid Accounts
    Threat actors use brute-force password guessing for RDP services. If the guessed password belongs to the domain administrator, they can execute commands with elevated privileges.

Tactic: Defense Evasion

  • MITRE ATT&CK T1562.001 Impair Defenses: Disable or Modify Tools
    MedusaLocker disables security products such as antivirus to avoid being detected.
  • MITRE ATT&CK T1562.009 Impair Defenses: Safe Mode Boot
    In safe mode, Windows OS starts up with limited defenses. MedusaLocker abuses this aspect of the safe mode to evade endpoint defenses.

Tactic: Credential Access

  • MITRE ATT&CK T1110 Brute Force
    Threat actors use brute-force password guessing for RDP services.

Tactic: Discovery

  • MITRE ATT&CK T1083 File and Directory Discovery
    MedusaLocker searches for files and directories in the victim's computer. After discovery, the ransomware starts to encrypt all files and directories with the exception of the following folders.

%User Profile%\AppData


\Program Files

\Program Files (x86)


\Application Data



\Users\All Users



  • MITRE ATT&CK T1135 Network Share Discovery
    MedusaLocker searches for shared files in the network. The shared files also indicate that there might be other hosts in the network that can be moved to laterally.
  • MITRE ATT&CK T1012 Query Registry
    MedusaLocker searches the registry hive to learn about security products deployed in the victim's network.

Tactic: Lateral Movement

  • MITRE ATT&CK T1021 Remote Services
    MedusaLocker ransomware uses remote services to infect other hosts in the victim's network. Threat actors use RDP, PsExec, and SMB to spread the ransomware payload.

Tactic: Command and Control

  • MITRE ATT&CK T1105 Ingress Tool Transfer
    MedusaLocker uses certutil.exe to transfer files from its command and control server to the victim's network. 

Tactic: Impact

  • MITRE ATT&CK T1486 Data Encrypted for Impact
    MedusaLocker uses a hybrid encryption approach. The victim's files are encrypted with an AES-256 symmetric encryption algorithm, and the secret key is encrypted with RSA-2048 public-key encryption.
  • MITRE ATT&CK T1490 Inhibit System Recovery
    MedusaLocker deletes backup copies of the encrypted files to prevent its victims from recovering them with the following commands.

vssadmin.exe delete shadows /all /quiet

bcdedit.exe /set {default} recoveryenabled no

bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures



wmic.exe shadowcopy delete /interactive

How Picus Helps Simulate MedusaLocker Ransomware Attacks?

We also strongly suggest simulating MedusaLocker ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus' The Complete Security Control Validation Platform. You can test your defenses against MedusaLocker ransomware and hundreds of other ransomware such as Conti, DarkSide, and REvil (Sodinokibi) within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for MedusaLocker ransomware: 

Threat ID

Action Name

Attack Module


MedusaLocker Ransomware Email Threat

Email Infiltration (Phishing)


MedusaLocker Ransomware Download Threat

Network Infiltration


Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address MedusaLocker ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for MedusaLocker:

Security Control

Signature ID

Signature Name

Check Point NGFW



Check Point NGFW



Check Point NGFW



Check Point NGFW



Check Point NGFW



Cisco Firepower


MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt

Fortigate AV





MALWARE: Malicious File Detected by GTI

Palo Alto NGFW


ransomware/Win32 EXE.filecoder.adp

Palo Alto NGFW


ransomware/Win32 EXE.filecoder.alc

Snort IPS


MALWARE-OTHER Win.Trojan.MedusaLocker malicious executable download attempt

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof Picus' The Complete Security Control Validation Platform.

Indicators of Compromises




















[1] "#StopRansomware: MedusaLocker." [Online]. Available:

[2] C. Nocturnus, "Cybereason vs. MedusaLocker Ransomware." [Online]. Available: