Once data is encrypted, MedusaLocker stores an HTML file (“HOW_TO_RECOVER_DATA.html“) containing instructions on how to contact the perpetrator that invaded your infrastructure.

Other variants of this ransomware use the: 

• “.bomber“,
• “.boroff“
• “.breakingbad“
• “.locker16“
• “.newlock“
• “.nlocker“
• “.skynet“
• “.deadfiles“
• “.abstergo“
• “.himynameisransom“
• “.ReadInstructions“
• “.EG“
• “.decrypme“
• “.ReadTheInstructions“
• “.READINSTRUCTIONS“,
• “.mlock5” 

The above are all extensions for encrypted files from Medusa Locker.

You will find a Ransomware note if you have been encrypted with Medusa Locker that is similar with the one below:

Your files are safe! Only modified. (RSA+AES)

ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE
WILL PERMANENTLY CORRUPT IT.
DO NOT MODIFY ENCRYPTED FILES.
DO NOT RENAME ENCRYPTED FILES.

No software available on internet can help you. We are the only ones able to
solve your problem.

We gathered highly confidential/personal data. These data are currently stored on
a private server. This server will be immediately destroyed after your payment.
If you decide to not pay, we will release your data to public or re-seller.
So you can expect your data to be publicly available in the near future..

We only seek money and our goal is not to damage your reputation or prevent
your business from running.

You will can send us 2-3 non-important files and we will decrypt it for free
to prove we are able to give your files back.

qd7pcafncosqfqu3haXXXXXXXXXXXXXXXXX.onion
* Note that this server is available via Tor browser only

Follow the instructions to open the link:
1. Type the addres “https://www.torproject.org” in your Internet browser. It opens the Tor site.
2. Press “Download Tor”, then press “Download Tor Browser Bundle”, install and run it.
3. Now you have Tor browser. In the Tor Browser open qd7pcafncosqfqu3haXXXXXXXXXXXXXXX.onion
4. Start a chat and follow the further instructions.

If you can not use the above link, use the email:

restoreassistance@decorous.cyou
restoreassistance@wholeness.business

* To contact us, create a new free email account on the site: protonmail.com
IF YOU DON’T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

Victims are instructed to contact the perpetrators via TOR site or other secure communication emails such as Protonmail.

Unfortunately as of now there are no free decryption tools in the market that have the capability to decrypt Medusa Locker encryptions. 

Only the cyber criminals can use their software to do so, however, there are many times that cyber criminals might ask for more money or even deliver tools that will not decrypt your files.

Despite the fact that some people pay for the ransom amount, there are a lot of cases reported where the victims will not receive the decryption software. 

In such cases the data remains encrypted and nobody can help. 

So if you have been encrypted by MedusaLocker submit our Ransomware Incident Response form in order our specialised team can help you get your files back.