MEDUSALOCKER: Uprooting its Branches

Rakesh Krishnan
Coinmonks

--

NOTE: Here we would be focusing on MedusaLocker RAAS Platform and how it became a major player in the Ransomware Industry. No reversing is included as there are many detailed articles about Malware Analysis out there.

Here is a short glimpse of the topics covered in this Article:-

1. INTRODUCTION
2. RANSOMWARE NAMING CONVENTION
3. DUAL PHASES OF MEDUSALOCKER
4. MEDUSALOCKER: TOR v3 Variant
5. MEDUSALOCKER - TARGETED INDUSTRIES
6. VICTIMOLOGY
7. MEDUSALOCKER SPIN OFFS: Uncoiling Medusa Variants (TOR v3)
8. TRACING PAYMENTS OF MEDUSALOCKER
9. MEDUSALOCKER BEFORE TOR v3 MIGRATION
10. MEDUSA RANSOMWARE: UNRELATED TO MEDUSALOCKER
11. CONCLUSION

INTRODUCTION

MedusaLocker initially appeared in September 2019, targeting the Windows environment. However, the same got evolved as Ransomware as a Service (RaaS) and in 2022 the group introduced DLS (Data Leak Site) of the compromised victims on the Dark Web.

Medusa | Photo Credit: OpenSea

RANSOMWARE NAMING CONVENTION

Each Ransomware Group assigns a specific name to a folder while infecting the victim’s machine. This can be found in the Ransom Note as well. Threat Actors select suitable names for their operation which are commonly inspired by Games, TV Series, Fictional Characters, Mythology, etc.

The choice of the name “MEDUSA” for the Medusa Ransomware likely draws inspiration from the mythological figure of Medusa.

In Greek mythology, Medusa was known for her ability to turn people to stone with a single glance. Similarly, ransomware encrypts a victim’s files, effectively locking them and rendering them inaccessible until a ransom is paid. This parallel reflects the idea that the Medusa ransomware has the power to “freeze” the victim’s digital assets, just as Medusa could freeze her victims in stone.

DUAL PHASES OF MEDUSALOCKER

While analyzing MedusaLocker, it is found that MedusaLocker had 2 Phases: Before TOR v3 and TOR v3! This is important to conclude the timeline of the MedusaLocker activities.

Moreover, Medusalocker does NOT add a .medusa extension to its encrypted file whereas it adds various other spin-off names such as .marlock, .farlock, .deadfiles, .skynet, etc.

To be more precise, MedusaLocker used the following TOR URLs:-

Domain before switching to TOR v3:- 
gvlay6u4g53rxdi5.onion

Domain after switching to TOR v3:-
qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
z6wkgghtoawog5noty5nxulmmt2zs7c3yvwr22v4czbffdoly2kl4uad.onion

NOTE: There is another Ransomware strain with the same name “Medusa”. It’s called “Medusa Ransomware” which emerged in 2023 (but active since 2022). Hence there will be confusion on various articles as many might have clubbed targeted industries and TTPs together of both Medusas together. Even the CISA report clubs both old and new Medusa Strains together in their report.

But in this article, we would be only focusing primarily on “MedusaLocker” which has existed since 2019.

MEDUSALOCKER: TOR v3 Variant

To understand better, hereby listing down a few important Threat Actor Anchor Points (TOR v3) such as email address, TOR Onion sites, and TOX Chat ID to identify MedusaLocker Ransomware (RaaS):

EMAIL ADDRESSES (With Advertised Ransomware spin-offs)
======================================================

sambolero@tutanota.com: MEDUSALOCKER
rightcheck@cock.li

suppdecrypt@protonmail.com: MEDUSALOCKER
suppdecrypt@cock.li

folieloi@protonmail.com: MEDUSALOCKER
ctorsenoria@tutanoa.com

mrromber@cock.li: MEDUSALOCKER
mrromber@tutanota.com

fartcool@protonmail.ch: MEDUSALOCKER
bestcool@keemail.me

tanoss@protonmail.com: MEDUSALOCKER
sypress@protonmail.com

ithelp@decorous.cyou: MEDUSA, NTLOCK2
ithelp@wholeness.business

ithelp01@decorous.cyou: MARLOCK, MAMAI, YOUFILESLOCK
ithelp01@wholeness.business

ithelp02@decorous.cyou: FARLOCK, L54,L16, MEDUSALOCKER
ithelp02@wholeness.business

ithelp03@decorous.cyou: EXLOCK, READINSTRUCTION,
ithelp03@wholeness.business

ithelpconcilium@tutanota.com: READINSTRUCTION
nicolasmarvinlor@outlook.com

ithelp04@decorous.cyou: ReadSRead, READNET
ithelp04@wholeness.business

ithelp06@decorous.cyou: HUYLOCK
ithelp06@wholeness.business

ithelp07@decorous.cyou: FARATTACK
ithelp07@wholeness.business

ithelp08@decorous.cyou: ONELOCK
ithelp08@wholeness.business

ithelp09@decorous.cyou: BULWARK
ithelp09@wholeness.business

help_24_decr1@outlook.com: READS, NEWNET
help_24_decr2@outlook.com

restoreassistance_net@wholeness.business: SUNNYDAY
restoreassistance_net@decorous.cyou

githelpernetwork@decorous.cyou: KEVERSEN
ithelpernetwork@wholeness.business

ransom.data@gmail.com: SKYNET

TOR ONIONS
==========
qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
z6wkgghtoawog5noty5nxulmmt2zs7c3yvwr22v4czbffdoly2kl4uad.onion

TOX ID: E9CD65687463F67F64937E961DD723DC82C79CB548375AAE8AA4A0698D356C5E7E157B22E8CD

NOTE: By dorking the above-listed identifiers (including email, TOR Sites, and TOX ID); you can identify the MedusaLocker variants from various sources. Most of the above-listed email addresses are not found in CISA Report.

  1. MedusaLocker uses the following domain to negotiate with their victims:-

qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion

Negotiation Channel of MedusaLocker for its Victims

2. MedusaLocker dumps the data in the following website:-

z6wkgghtoawog5noty5nxulmmt2zs7c3yvwr22v4czbffdoly2kl4uad.onion

Data Leak Site of MedusaLocker Ransomware

Unlike other Ransomware players, MedusaLocker does not host leaked data on the site for free but shares pictures of sensitive files to prove that the group holds the complete data.

Medusa Locker on their DLS site announced that they are not assigning any specific names to their blog. This could be to eliminate the confusion among netizens as there are various spin-offs of MedusaLocker out in the wild (as they offer it as a RaaS platform).

MEDUSALOCKER — TARGETED INDUSTRIES

It is being observed that MedusaLocker Ransomware (affiliates) targeted various industries over the past few months. Here I have prepared a chart for the same:-

Affected Industries by MedusaLocker

NOTE: This does not limit the choice of attackers to infect any other industries (which is not listed here), as Threat Actors always scan a bunch of targets on a large scale and infect whoever is vulnerable instantly (unless it’s a targeted and orchestrated attack).

VICTIMOLOGY

As of May 2023; the Ransomware Group had infected 10 Countries and 13 Industries with a totality of ~22 Victims on their DLS(Data Leak Site) Page (as of now).

Here are the affected countries with respective of their flags:-

Affected Countries by MedusaLocker Ransomware

MEDUSALOCKER SPIN OFFS: Uncoiling Medusa Variants (TOR v3)

By checking various Sandbox Reports, it is found that MedusaLocker which is prevalent since 2021 is still rife, affecting various companies and new victims are being added regularly on their DLS.

Recent MedusaLocker Infection Rate from Triage Sandbox

Let’s dive deep into the variants of MedusaLocker along with their timelines:-

2021
====
Ever101 Ransomware = JULY 2021
L16 Ransomware = JULY 2021
Keversen Ransomware = JULY 2021
NTLock Ransomware = AUGUST 2021
NTLock2 = August 2021
Marlock Ransomware = SEPTEMBER 2021
Farlock Ransomware = SEPTEMBER 2021
EXLOCK = OCTOBER 2021
HuyLock Ransomware = NOVEMBER 2021

2022
====
FarAttack Ransomware = JANUARY 2022
L54 Ransomware = FEBRUARY 2022
NewNet Ransomware = FEBRUARY 2022
SunnyDay Ransomware = MARCH 2022
YouFilesLock Ransomware = JULY 2022
ReadSRead = JULY 2022
LockLock Ransomware = SEPTEMBER 2022
Bulwark Ransomware = OCTOBER 2022
OneLock Ransomware = NOVEMBER 2022
LatchNetwork Ransomware = DECEMBER 2022

2023
====
Marnet Ransowmare = JANUARY 2023
Mamai Ransomware = MARCH 2023
Skynet Ransomware = MARCH 2023
Skylock Ransomware = APRIL 2023

By tracing the spin-offs, I have prepared the following graph which links each variant with the timeline and extortion email addresses used:

NOTE: There may be many more variants out in the wild, but we will only get to know the successful attacks as it gets popped up on the Internet.

MEDUSALOCKER Spin-Offs with their Timeline and Email Addresses used for Extortion (TOR v3)

From the above graph; the following points can be deduced:-

1. Though Medusa initially popped up in 2019; there was no recorded activity spotted in 2020. We can estimate that the Ransomware may be in the developing stage or arranging their affiliates via marketing on Dark Web.
2. It is found that the email address ithelp01@decorous.cyou has 4 variants: MARLOCK (Sept. 2021), YOUFILESLOCK (July 2022) MARNET (January 2023), and MAMAI (March 2023).
3. 6 Email Groups (2 each) made use of MedusaLocker directly without giving any separate naming.
4. It can be assumed that the main players of MedusaLocker had initiated a naming convention (ITHELP01 to ITHELP09) for their affiliates to remove the confusion in the contact names.
5. From the graph, it can be found that there were 9 variants of MedusaLocker in 2021 which increased to 11 variants in 2022.
6. In 2023; it is expected to grow even further.
7. Only the variant “SKYNET” uses GMAIL as the communicator email address with their victims. This could be the work of amateurs getting hold of ransom code for spreading.
8. Only variants: Keversen and SunnyDay differ in email naming convention other than “ITHELP”.
9. Both email domains: wholeness.business and decorous.cyou got registered on 1st July 2021.
10. Hence, the initial spin-off for MedusaLocker was founded in July 2021.
11. Most of the affiliates keep their spin-off name after getting inspired by video games such as Skynet, Bulwark, HuyLock, and FarAttack.

During sample analysis, it is found that there are more traces of GlobeImposter Ransomware (which is prevalent since 2017) codes. 2 of the samples are:-

MD5
59e3542c4d5293a1a12b2bb6cb357d92
0f025715a5cb507fc46a4df12cfa74d4

TRACING PAYMENTS OF MEDUSALOCKER

Any Ransomware’s success rate can be measured by the amount of Ransom they receive from their victims. This would help them to seal their foothold in the Extortion Industry, making them more dangerous in the Infosec community.

MedusaLocker has been active since 2019 and the payment is clocked at around 303.49BTC as of now.

BITCOIN WALLETS of MedusaLocker (With First Seen Date & Total Received Amt)
===========================================================================

2019
====
1AbRxRfP6yHePpi7jmDZkS4Mfpm1ZiatH5: January 16, 2019 -> 161BTC
18wRbb94CjyTGkUp32ZM7krCYCB9MXUq42: July 1, 2019 -> 21.8BTC
1DRxUFhvJjGUdojCzMWSLmwx7Qxn79XbJq: December 4, 2019 -> 3BTC

2020
====
1Edcufenw1BB4ni9UadJpQh9LVx9JGtKpP: April 19, 2020 -> 8.7BTC
1DyMbw6R9PbJqfUSDcK5729xQ57yJrE8BC: May 7, 2020 -> 12.06BTC
184ZcAoxkvimvVZaj8jZFujC7EwR3BKWvf: Oct 29, 2020 -> 10.39BTC
14oH2h12LvQ7BYBufcrY5vfKoCq2hTPoev: Dec 18, 2020 -> 4.5BTC
1HZHhdJ6VdwBLCFhdu7kDVZN9pb3BWeUED: May30, 2020 -> 12BTC
1PormUgPR72yv2FRKSVY27U4ekWMKobWjg: Aug27, 2020 -> 15.8BTC

2021
====
14cATAzXwD7CQf35n8Ea5pKJPfhM6jEHak: Mar21, 2021 -> 0.3BTC
1AereQUh8yjNPs9Wzeg1Le47dsqC8NNaNM: Mar 25, 2021 -> 15BTC
bc1qy34v0zv6wu0cugea5xjlxagsfwgunwkzc0xcjj: Mar 30, 2021 -> 1BTC
1PopeZ4LNLanisswLndAJB1QntTF8hpLsD: Apr 1, 2021 -> 21.04BTC
bc1q9jg45a039tn83jk2vhdpranty2y8tnpnrk9k5q: Apr 2, 2021 -> 0.5BTC
bc1qz3lmcw4k58n79wpzm550r5pkzxc2h8rwmmu6xm: Apr 7, 2021 -> 1BTC
1DeNHM2eTqHp5AszTsUiS4WDHWkGc5UxHf: June 7, 2021 -> 1.9BTC
1HEDP3c3zPwiqUaYuWZ8gBFdAQQSa6sMGw: July 4, 2021 -> 13.5BTC
1HdgQM9bjX7u7vWJnfErY4MWGBQJi5mVWV: July 20, 2021 -> 0.3BTC

Now, let’s understand earlier MedusaLocker which has been prevalent since 2019 before migration to TOR v3 Domain Name.

MEDUSALOCKER BEFORE TOR v3 MIGRATION

With the introduction of TOR v3, short Onion URLs which are previously being used are no more supported by the TOR Community. Hence, all the major players made a switch to TOR v3 Domain Names to keep their business running on Dark Web.

Following are the data points collected for the previous MedusaLocker variant:-

MEDUSALOCKER BEFORE TOR VERSION 3
=================================

M0edusaLocker used this TOR Site initially: gvlay6u4g53rxdi5.onion
BTC Wallet: 1HZHhdJ6VdwBLCFhdu7kDVZN9pb3BWeUED (Received 12BTC in Total)
Has been using the same Bitcoin Wallet from May 2020 to February 2021

CRYPT - OCT 2020
support@novibmaker.com
support@ypsotecs.com

LOCKUSSSS, LOCKHYP, ESLOCK, DATALOCK, KRLOCK
diniaminius@winrof.com
soterissylla@wyseil.com

DIVSOUTH - January 2021
support@welchallym.com
support@bigweatherg.com

UKK1 - AUG 2021
support@exorints.com
support@fanbridges.com

RAPID -March 2019
rapid@aaathats3as.com
rpd@keemail.me

CRYPTBD -January 2022
encrypt2020@outlook.com
encrypt2020@cock.li

PERFECTION
perfection@bestkoronavirus.com
support@imfoodst.com
support@securycasts.com
lockPerfection@gmail.com

CORONA - Feb 2022
coronaviryz@gmail.com
korona@bestkoronavirus.com

1BTC - March 2021
cmd@jitjat.org
dirhelp@keemail.me

SOJUSZ - Feb 2022
beacon@jitjat.org: BEC, SOJUSZ
beacon@msgsafe.io

LR - Dec 2022
bitcoin@mobtouches.com
bitcoin@sitesoutheat.com

DECRYPME - Oct 2019
decoder83540@protonmail.com
decoder83540@cock.li

STOPFILES - DEC 2021
dec_helper@dremno.com: NETWORKLOCK, DEATHFILES, BB, EG, STOPFILES
dec_helper@excic.com


FILESLOCK - December 2021
fuc_ktheworld1448@outlook.com
fucktheworld1448@cock.li


US1 - Feb, 2021
helper@buildingwin.com: FRLOCK, HKNET, LELOCK, LOCKFILESKR, US1,
helper@atacdi.com

UNNAMED
777decoder777@protonmail.com
777decoder777@tfwno.gf


MEDUSALOCKER BEFORE TOR v3
==========================
PERFEFCTION
LOCKUSSSS
ESLOCK
VINDIZELPUX
NETWORKMAZE
KRLOCK
HKNET
CZLOCK
UKK1
LOCKFILE
FRLOCK
HKNET
LELOCK
LOCKFILESKR
US1
FILESLOCK
STOPFILES
NETWORKLOCK
DEATHFILES
DECRYPME
BB
EG
LR
BEC
1BTC
SOJUSZ
CORONA
CRYPTBD
RAPID
LOCKHYP
ESLOCK
DATALOCK
CRYPT

MEDUSA RANSOMWARE: UNRELATED TO MEDUSALOCKER

It is very common to see multiple entities named as one. One of the biggest challenges in the Infosec community is to cherry-pick the right ones. And if any step goes wrong, the entire associations and story go down; which makes it Researchers/Analysts a herculean task to pinpoint the right threat actor.

Here, as I mentioned at the beginning of this article; there is 1 more player with the same name:- MEDUSA. But this is entirely different from MedusaLocker and does not share a single entity in common, and is even confirmed by popular Ransomware Analyst Michael Gillespie (personally to me).

Medusa Ransomware’s blog which is called JellyFish (Data Leak Site) looks like this, which popped up in 2023:-

DLS of Medusa Ransomware (2023)

Here are some of the peculiarities of Medusa Ransomware:-

1. Medusa maintains 2 TOR Websites, one for Negotiation and the other as DLS. They are:-
medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd.onion
medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion

2. Medusa Ransomware Group maintains 2 TOX IDs for Point of Contact:
AA6AB832B08EC0D271BD5EE9A086B0549BC54DCA5EB1F21BF372B2879B71F024FBFBF16C0710 (Telegram — Robert)
4AE245548F2A225882951FB14E9BF87EE01A0C10AE159B99D1EA62620D91A372205227254A9F (Medusa — Direct)

3. Initial data published on the Medusa Ransomware blog (JellyFish) was on 11th January 2023, now totaling 55 victims (ATTOW).

4. Their contact emails: medusa.serviceteam@protonmail.com
karloskolorado@tutanota.com and bugervongir@outlook.com

5. 2 Active Bitcoin Wallets of Medusa Ransomware are:-
12xd6KrWVtgHEJHKPEfXwMVWuFK4k1FCUF: Mar4, 2022 -> 1.06BTC
bc1qz89r77cdm7kwg3w5vhwlj5q5d9q6qqdnj6j6gg: Apr 10, 2022 -> 6.3BTC bc1qfjuwdfq90ld77v47093yuzt344807uzk7h3qpu: Nothing

6. The title of Ransom Note is different. It is !!!READ_ME_MEDUSA!!!.txt and all the files are appended with the .medusa extension after encryption.

7. Medusa Ransomware Group tied up with Telegram Channel: Information Support on November 26th, 2022 to publish their breached victims via Telegram Channel.

Hereby sharing 2 MD5 Hashes of both MedusaLocker and Medusa Ransomware for Reverse Engineers to test the sample:-

94e797f17313dc5d704d2d026a842e3d : Medusa Ransomware 
b09cd13c7a9ce8c94e15303f140bdd9f : MedusaLocker

NOTE: Any Ransomware Group can make use of available or newly tested methods to intrude into their targets. Hence, collecting TTPs for Threat Group is not a fruitful method to measure their capability (Except for Report to the Management), as new exploit/methods often come, hence more TTPs get added.

CONCLUSION

When you come across Medusa Sample; ensure that whether it’s MedusaLocker or Medusa Ransomware. Because, in this scenario; we cannot classify Medusalocker only as Ransomware; however the other is also a different ransomware.

Moreover, there will be more spin-offs and more samples will get circulated on the surface web such as AKO Ransomware, Medusa Reborn, etc as this is a NEVER ENDING STORY!!!

Follow me on Twitter for interesting DarkWeb/InfoSec Short findings! ;-)

NOTE:- The article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.

--

--

Rakesh Krishnan
Coinmonks

Independent Security Researcher and Threat Analyst. Often sheds light on Dark Web. Regular contributor to Infosec Community.