Posted on

How to remove MedusaLocker Ransomware from an infected computer and decrypt your files

How to remove MedusaLocker Ransomware and decrypt .readtheinstructions, .decrypme or .encrypted files

We have already deconstructed lots of ransomware like Ouroboros, Ako, NEMTY, and others says, Arthur Lozovsky for Bugfighter. Today, we are topping up our list with MedusaLocker Ransomware. This dreadful software is known to be encrypting the files of innocent users, therefore, making them unretrievable until a ransom is paid. Virus got its name because of the name of the project file, that says: MedusaLocker.pdb. Also, the “Medusa” section is created in the registry. Once installed on a computer, it rapidly blocks off the access to your data by assigning a unique .encrypted or .readtheinstructions or .readinstructions extensions to each file. This way, 1.jpg changes itself to 1.jpg.readtheinstructions. Unfortunately, any manipulations are useless because of the strong cipher that is hard to break manually. When encrypting files, AES encryption will be used to encrypt each file, and then the AES key will be encrypted with the RSA-2048 public key included in the Ransomware executable. Depending on ransomware edition, extensions may also look like .bomber.boroff.breakingbad.locker16.newlock.nlocker, and .skynet as well. After successful encryption of data, extortionists add an HTML or text file, called ransom note, that contains the necessary information on how to recover your data. Depending on the version it can be called RECOVER_INSTRUCTIONS.html, INSTRUCTIONS.html, HOW_TO_OPEN_FILES.html or HOW_TO_RECOVER_DATA.html.

MedusaLocker (.readtheinstructions)

MedusaLocker (.encrypted)
All your data are encrypted!
What happened?
Your files are encrypted, and currently unavailable.
You can check it: all files on you computer has new expansion.
By the way, everything is possible to recover (restore), but you need to buy a unique decryptor.
Otherwise, you never cant return your data.
For purchasing a decryptor contact us by email:
777decoder777@protonmail.com
If you will get no answer within 24 hours contact us by our alternate emails:
777decoder777@tfwno.gf
What guarantees?
Its just a business. If we do not do our work and liabilities - nobody will not cooperate with us.
To verify the possibility of the recovery of your files we can decrypted 1 file for free.
Attach 1 file to the letter (no more than 10Mb). Indicate your personal ID on the letter:
041786A32071FD1D5BF472AE737A831C3F0EEABE36F5D5998DB4E8F377*** [всего 1024 знака] Attention!
- Attempts of change files by yourself will result in a loose of data.
- Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.
- Use any third party software for restoring your data or antivirus solutions will result in a loose of data.
- Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.
- If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key.

Ransomware developers say that you have to pay a specific fee (varying from user to user) through the Bitcoin to decode the restricted files. After finished, you should contact them via e-mail to notify about the payment. Paying a ransom is not the wisest decision you can make at this point time, because there is no guarantee that they will keep their promise and get your data back. Since there is no real method to check their integrity, you should not be doing this. On the contrary, a better conclusion would be removing this malware from your computer to keep further data safe by following the guide in the article below.

MedusaLocker (.readinstructions)
MedusaLocker (.decrypme)
MedusaLocker (.encrypted)

How MedusaLocker Ransomware infected your computer

Ransomware and other kinds of malware are typically distributed via e-mail spam, trojans, free cracking tools, and other suspicious downloads. Deceivers tend to utilize massive spam attacks to overarch as many victims as possible. Not excluded that you could open a fake legitimate message that contains attached files like PDFs, executable files (.EXE), JavaScript or other unwanted links. Clicking on these files may be a huge risk because they usually include trojans that get installed on your device without consent. Trojans themselves are designed to cause so-called chains of malware. It infiltrates your computer with various malware like Ransomware that immediately encrypts data leaving you puzzled. This is why e-mail services automatically filter unwanted stuff and drop it into the “Spam” folder which can be a ring. Another crafty method of dissemination is by downloading fake cracking tools that are meant to bypass the activation of licensed software. Of course, most users download this type of tool from malicious sites that pursuit data hijacking. You cannot always be sure that the software you download is virus-free, however, you can shrink down the risk by visiting only trusted resources and downloading programs from official websites. Uninstalling MedusaLocker is only half of the battle because you will not be able to restore the full data. Great tools to protect against MedusaLocker Ransomware are: Emsisoft Anti-Malware and Malwarebytes Anti-Malware.

  1. Download MedusaLocker Ransomware Removal Tool
  2. Get decryption tool for .readtheinstructions.decrypme or .encrypted files
  3. Recover encrypted files with Stellar Data Recovery Professional
  4. Restore encrypted files with Windows Previous Versions
  5. Restore files with Shadow Explorer
  6. How to protect from threats like MedusaLocker Ransomware

Download Removal Tool

Download Removal Tool

To remove MedusaLocker Ransomware completely, we recommend you to use WiperSoft AntiSpyware from WiperSoft. It detects and removes all files, folders and registry keys of MedusaLocker Ransomware and prevents future infections by similar viruses.

Alternative Removal Tool

Download SpyHunter 5

To remove MedusaLocker Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders and registry keys of MedusaLocker Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.

MedusaLocker Ransomware files:

{randomfilename}.exe
HOW_TO_RECOVER_DATA.html
Readme.html
svchostt.exe
svchostt
l.bat
MedusaLocker.pdb

MedusaLocker Ransomware registry keys:

HKCU\SOFTWARE\Medusa
HKCU\SOFTWARE\Medusa\Name
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "EnableLinkedConnections" = 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

How to decrypt and restore .readtheinstructions, .decrypme or .encrypted files

Use automated decryptors

Download Kaspersky RakhniDecryptor

kaspersky dharma ransomware decryptor

Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .readtheinstructions, .decrypme or .encrypted files. Download it here:

Download RakhniDecryptor

There is no purpose to pay the ransom, because there is no guarantee you will receive the key, but you will put your bank credentials at risk.

Dr.Web Rescue Pack

Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .readtheinstructions.decrypme or .encrypted files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing of files will be performed free of charge and if files are decryptable, all you need to do is purchase 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.

If you are infected with MedusaLocker Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:

Use Stellar Data Recovery Professional to restore .readtheinstructions, .decrypme or .encrypted files

stellar data recovery professional
  1. Download Stellar Data Recovery Professional.
  2. Click Recover Data button.
  3. Select type of files you want to restore and click Next button.
  4. Choose location where you would like to restore files from and click Scan button.
  5. Preview found files, choose ones you will restore and click Recover.

Download Stellar Data Recovery Professional

Using Windows Previous Versions option:

  1. Right-click on infected file and choose Properties.
  2. Select Previous Versions tab.
  3. Choose particular version of the file and click Copy.
  4. To restore the selected file and replace the existing one, click on the Restore button.
  5. In case there is no items in the list choose alternative method.

Using Shadow Explorer:

  1. Download Shadow Explorer program.
  2. Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
  3. Select the drive and date that you want to restore from.
  4. Right-click on a folder name and select Export.
  5. In case there are no other dates in the list, choose alternative method.

If you are using Dropbox:

  1. Login to the DropBox website and go to the folder that contains encrypted files.
  2. Right-click on the encrypted file and select Previous Versions.
  3. Select the version of the file you wish to restore and click on the Restore button.

How to protect computer from viruses, like MedusaLocker Ransomware, in future

1. Get special anti-ransomware software

Use BitDefender Anti-Ransomware

bitdefender anti-ransomware

Famous antivirus vendor BitDefender released free tool, that will help you with active anti-ransomware protection, as additional shield to your current protection. It will not conflict with bigger security applications. If you are searching complete internet security solution consider upgrading to full version of BitDefender Internet Security 2018.

Download BitDefender Anti-Ransomware

2. Back up your files

idrive backup

As an additional way to save your files, we recommend online backup. Local storages, such as hard drives, SSDs, flash drives or remote network storages can be instantly infected by the virus once plugged in or connected to. MedusaLocker Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and simple interface. You can read more about iDrive cloud backup and storage here.

3. Do not open spam e-mails and protect your mailbox

mailwasher pro

Malicious attachments to spam or phishing e-mails is most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications, and provides very high level of anti-spam protection.

Download MailWasher Pro

Please tell us what we can do to serve you

Posted on

Ransomware can kill the Trust small businesses need from Customers

We’re not even halfway through 2020, and already it’s been a record-breaking year for ransomware attacks says Adam Levin, inc. Barely a week goes by without reports of a new strain or variant of malware wreaking havoc among companies.

1-99-employee companies are a target

No industry, category, size, or group is safe from this cyber scourge. 

We hear about the big ones. Manufacturing giant Honda had its networks brought to a standstill by just such an attack. Millions of inboxes have been hit with a variant of Avaddon ransomware. High-profile entertainment law firm Grubman Shire Meiselas & Sacks suffered a one-two punch of infection via REvil ransomware followed by a dark web auction of the firm’s client documents.

Small companies get hit all the time, but when they go out of business as a result it’s not news. It doesn’t matter how big your company is. In fact, what may matter more is how easy you are to hack. 

A compounded threat for businesses

While there’s no shortage of examples of ransomware attacks, a recent study by data protection firm Veritas suggests an even bigger problem that few, if any, companies are prepared for: Customers are increasingly laying the blame on companies, specifically their CEOs, rather than on the hackers perpetrating the attacks.

The statistics are sobering. Twelve thousand respondents in the U.S., U.K., Germany, Japan, France, and China thought companies were to blame, with 40 percent saying CEOs should be doing a better job. In the same survey, 35 percent thought CEOs should be fined for a cyber failure, and 30 percent wanted to see a CEO lose his or her right to run any company following a serious cyber event. Another 23 percent thought the CEO should face a prison sentence.

Some of the survey’s findings suggest there’s some cognitive dissonance. For instance, 71 percent of respondents said companies shouldn’t pay ransoms to hackers, but 55 percent wanted businesses to pay a ransom if their own personal data was at risk. The numbers point to a nascent blame game, which in turn points to the need for companies large and small to make sure they have cyber insurance–often the only thing between your company and an extinction-level cyber event.

What can CEOs do?

With 44 percent in the Veritas survey claiming that they would stop using a business’s services following a ransomware-related breach regardless of how the company responded–it matters how you handle cyber. 

With customers pointing the finger at business leadership, CEOs face a new layer to what was already an extinction-level threat. If the combined costs of paying a ransom and the resulting breach-related expenses aren’t enough to ruin a company, customers and clients are increasingly poised to drive the final nail in the coffin.

Preventing data breaches and implementing adequate cybersecurity safeguards was a daunting assignment even before the Covid-19 pandemic. A 2019 study showed that 80 percent of IT business leaders expected a critical breach or a successful cyberattack within a year, double what a similar study had indicated in 2015.

The inevitability of a successful cyberattack, ransomware-related or otherwise, cannot be mitigated by any CEO, but managing the aftermath can. 

Much has been made of the shortage of skilled cybersecurity workers, to say nothing of supply chain vulnerabilitiesunpatched or outdated software, or employee malfeasance. But the answer for management here lies in being prepared. 

While corporate security fails are complex, a good leader needs only to be prepared for the day the inevitable happens. More than half of security personnel surveyed in 2019 believed that CEOs ignored security plans, and 14 percent said that their CEOs hadn’t received any cybersecurity training. Another study showed that 40 percent of IT professionals specifically cited their company’s CEO as the weakest link in their company’s security. Only you know if this is true of your organization. And if it is, only you can take steps to get cyber right. 

There’s an oft-quoted saying that “culture eats strategy for breakfast,” and that’s very true when it comes to cyber. Know the risks, get help if you need it, get insured, and take it seriously. 

Posted on

Knoxville Shuts Down IT Following Ransomware Attack Thursday June 11th

Knoxville joins a list that also includes Atlanta, Baltimore, Denver, and New Orleans. Catalin Cimpanu for Zero Day reported the city of Knoxville, Tennessee, has shut down its IT network today (Thursday, June 11th, 2020) following a ransomware attack, CBS affiliate WVLT reported today.

The attack took place last night, between June 10 and June 11. The city’s IT department did not detect the intrusion until it was too late and the ransomware had already encrypted multiple systems.

Responding to the attack, IT staff shut down impacted servers and workstations and disconnected the city’s network from the internet. This resulted in downtimes for the city’s internal IT network, its public website, and the network of the city’s court.

Emergency services, managed by the city, such as police, the fire department, and 911 hotlines were not impacted, as they ran on separate systems. The network of Knox County, which shares some IT systems with the city of Knoxville was not impacted, the county said today on Twitter.

Knoxville city employees arriving at work this morning were greeted by an email disclosing the attack, WVLT reported. The message disclosed the ransomware attack and told employees not to log into their computers.

City officials said they’re currently looking at an email opened by one of its employees as the initial entry point for the ransomware, local news site Knox News reported. However, this was merely a theory, and a more thorough investigation is currently underway, with city officials receiving help from the local FBI office.

The name of the ransomware type/group that infected the city’s network is currently unknown. Recently, most major ransomware operations have also begun stealing data from infected networks, and then leaking or selling it online.

Knoxville, which is currently the 134th biggest city in the US based on population size, is just the latest in a long list of US cities that have suffered a ransomware attack.

While most ransomware attacks hit smaller cities, ransomware gangs also hit the jackpot once in a while and infect the network of a larger city, such as AtlantaBaltimoreDenverNew Orleans — and now, Knoxville.

In July 2019, the US Conference of Mayors unanimously agreed to stop paying ransomware demands. That pledge never stuck.