Researchers have identified a new strain of ransomware that is spreading around the globe. Bleeping Computer reported that MedusaLocker, as the new strain is called, was first observed in September 2019 and has been steadily infecting more computers every day, though its methods of infection remain unknown. Once it infiltrates a machine, MedusaLocker systematically runs through a checklist of commands to render the machine as vulnerable as possible and to optimize the ransomware’s hold over the data. First, it ensures that it has access to all drives connected to the system, then it shuts down any active security measures, and finally it wipes clean any existing file backups. After that prep, it scans the drives for files to ransom and proceeds to encrypt them. When it’s finished, the ransomware sleeps for sixty seconds, then scans anew for more files to encrypt. MedusaLocker also programs a scheduled task to run the ransomware every thirty minutes so that it stays active. A ransom note, riddled with grammatical mistakes, is placed in every folder containing encrypted files. Instead of stating the financial demand, the note lists two email addresses which the user is prompted to message in order to purchase a decryptor. The note even suggests the user attach one encrypted file to the message, so the attackers can return it decrypted to the user in a gesture meant to prove the decryption key exists. Researchers continue to study MedusaLocker, and it is still unknown whether or not its encrypted files can in fact be decrypted.
