Posted on

Merry Christmas

Let There Be Peace On Earth

Wishing you a Merry Christmas and a Happy New Year 2022, with the kind compliments of team ..

Here’s a gentle reminder of the reason for the season ..

Posted on

How to remove MedusaLocker Ransomware

How to remove MedusaLocker Ransomware and decrypt .readtheinstructions, .decrypme or .encrypted files

[Here’s a link for how to remove MedusaLocker ransomware from your operating system, by Tomas Meskauskas (Updated)]

We have already deconstructed lots of ransomware like Ouroboros, Ako, NEMTY, and others says, Arthur Lozovsky for Bugfighter. Today, we are topping up our list with MedusaLocker Ransomware. This dreadful software is known to be encrypting the files of innocent users, therefore, making them unretrievable until a ransom is paid. Virus got its name because of the name of the project file, that says: MedusaLocker.pdb. Also, the “Medusa” section is created in the registry. Once installed on a computer, it rapidly blocks off the access to your data by assigning a unique .encrypted or .readtheinstructions or .readinstructions extensions to each file. This way, 1.jpg changes itself to 1.jpg.readtheinstructions. Unfortunately, any manipulations are useless because of the strong cipher that is hard to break manually. When encrypting files, AES encryption will be used to encrypt each file, and then the AES key will be encrypted with the RSA-2048 public key included in the Ransomware executable. Depending on ransomware edition, extensions may also look like .bomber.boroff.breakingbad.locker16.newlock.nlocker, and .skynet as well. After successful encryption of data, extortionists add an HTML or text file, called ransom note, that contains the necessary information on how to recover your data. Depending on the version it can be called RECOVER_INSTRUCTIONS.html, INSTRUCTIONS.html, HOW_TO_OPEN_FILES.html or HOW_TO_RECOVER_DATA.html.

MedusaLocker (.readtheinstructions)

MedusaLocker (.encrypted)
All your data are encrypted!
What happened?
Your files are encrypted, and currently unavailable.
You can check it: all files on you computer has new expansion.
By the way, everything is possible to recover (restore), but you need to buy a unique decryptor.
Otherwise, you never cant return your data.
For purchasing a decryptor contact us by email:
If you will get no answer within 24 hours contact us by our alternate emails:
What guarantees?
Its just a business. If we do not do our work and liabilities - nobody will not cooperate with us.
To verify the possibility of the recovery of your files we can decrypted 1 file for free.
Attach 1 file to the letter (no more than 10Mb). Indicate your personal ID on the letter:
041786A32071FD1D5BF472AE737A831C3F0EEABE36F5D5998DB4E8F377*** [всего 1024 знака] Attention!
- Attempts of change files by yourself will result in a loose of data.
- Our e-mail can be blocked over time. Write now, loss of contact with us will result in a loose of data.
- Use any third party software for restoring your data or antivirus solutions will result in a loose of data.
- Decryptors of other users are unique and will not fit your files and use of those will result in a loose of data.
- If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key.

Ransomware developers say that you have to pay a specific fee (varying from user to user) through the Bitcoin to decode the restricted files. After finished, you should contact them via e-mail to notify about the payment. Paying a ransom is not the wisest decision you can make at this point time, because there is no guarantee that they will keep their promise and get your data back. Since there is no real method to check their integrity, you should not be doing this. On the contrary, a better conclusion would be removing this malware from your computer to keep further data safe by following the guide in the article below.

MedusaLocker (.readinstructions)
MedusaLocker (.decrypme)
MedusaLocker (.encrypted)

How MedusaLocker Ransomware infected your computer

Ransomware and other kinds of malware are typically distributed via e-mail spam, trojans, free cracking tools, and other suspicious downloads. Deceivers tend to utilize massive spam attacks to overarch as many victims as possible. Not excluded that you could open a fake legitimate message that contains attached files like PDFs, executable files (.EXE), JavaScript or other unwanted links. Clicking on these files may be a huge risk because they usually include trojans that get installed on your device without consent. Trojans themselves are designed to cause so-called chains of malware. It infiltrates your computer with various malware like Ransomware that immediately encrypts data leaving you puzzled. This is why e-mail services automatically filter unwanted stuff and drop it into the “Spam” folder which can be a ring. Another crafty method of dissemination is by downloading fake cracking tools that are meant to bypass the activation of licensed software. Of course, most users download this type of tool from malicious sites that pursuit data hijacking. You cannot always be sure that the software you download is virus-free, however, you can shrink down the risk by visiting only trusted resources and downloading programs from official websites. Uninstalling MedusaLocker is only half of the battle because you will not be able to restore the full data. Great tools to protect against MedusaLocker Ransomware are: Emsisoft Anti-Malware and Malwarebytes Anti-Malware.

  1. Download MedusaLocker Ransomware Removal Tool
  2. Get decryption tool for .readtheinstructions.decrypme or .encrypted files
  3. Recover encrypted files with Stellar Data Recovery Professional
  4. Restore encrypted files with Windows Previous Versions
  5. Restore files with Shadow Explorer
  6. How to protect from threats like MedusaLocker Ransomware

Download Removal Tool

Download Removal Tool

To remove MedusaLocker Ransomware completely, we recommend you to use WiperSoft AntiSpyware from WiperSoft. It detects and removes all files, folders and registry keys of MedusaLocker Ransomware and prevents future infections by similar viruses.

Alternative Removal Tool

Download SpyHunter 5

To remove MedusaLocker Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders and registry keys of MedusaLocker Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.

MedusaLocker Ransomware files:


MedusaLocker Ransomware registry keys:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ "EnableLinkedConnections" = 1

How to decrypt and restore .readtheinstructions, .decrypme or .encrypted files

Use automated decryptors

Download Kaspersky RakhniDecryptor

kaspersky dharma ransomware decryptor

Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .readtheinstructions, .decrypme or .encrypted files. Download it here:

Download RakhniDecryptor

There is no purpose to pay the ransom, because there is no guarantee you will receive the key, but you will put your bank credentials at risk.

Dr.Web Rescue Pack

Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .readtheinstructions.decrypme or .encrypted files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing of files will be performed free of charge and if files are decryptable, all you need to do is purchase 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.

If you are infected with MedusaLocker Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:

Use Stellar Data Recovery Professional to restore .readtheinstructions, .decrypme or .encrypted files

stellar data recovery professional
  1. Download Stellar Data Recovery Professional.
  2. Click Recover Data button.
  3. Select type of files you want to restore and click Next button.
  4. Choose location where you would like to restore files from and click Scan button.
  5. Preview found files, choose ones you will restore and click Recover.

Download Stellar Data Recovery Professional

Using Windows Previous Versions option:

  1. Right-click on infected file and choose Properties.
  2. Select Previous Versions tab.
  3. Choose particular version of the file and click Copy.
  4. To restore the selected file and replace the existing one, click on the Restore button.
  5. In case there is no items in the list choose alternative method.

Using Shadow Explorer:

  1. Download Shadow Explorer program.
  2. Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
  3. Select the drive and date that you want to restore from.
  4. Right-click on a folder name and select Export.
  5. In case there are no other dates in the list, choose alternative method.

If you are using Dropbox:

  1. Login to the DropBox website and go to the folder that contains encrypted files.
  2. Right-click on the encrypted file and select Previous Versions.
  3. Select the version of the file you wish to restore and click on the Restore button.

How to protect computer from viruses, like MedusaLocker Ransomware, in future

1. Get special anti-ransomware software

Use BitDefender Anti-Ransomware

bitdefender anti-ransomware

Famous antivirus vendor BitDefender released free tool, that will help you with active anti-ransomware protection, as additional shield to your current protection. It will not conflict with bigger security applications. If you are searching complete internet security solution consider upgrading to full version of BitDefender Internet Security 2018.

Download BitDefender Anti-Ransomware

2. Back up your files

idrive backup

As an additional way to save your files, we recommend online backup. Local storages, such as hard drives, SSDs, flash drives or remote network storages can be instantly infected by the virus once plugged in or connected to. MedusaLocker Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and simple interface. You can read more about iDrive cloud backup and storage here.

3. Do not open spam e-mails and protect your mailbox

mailwasher pro

Malicious attachments to spam or phishing e-mails is most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications, and provides very high level of anti-spam protection.

Download MailWasher Pro


Here’s a tip for support to remove MedusaLocker ransomware from your operating system, written by Tomas Meskauskas on 28 September 2021.

If all else fails, open a support ticket for our expert help at

Posted on

Log4Shell 0-Day Attacks Underway; Patch Immediately

CISA releases Apache Log4j scanner to find vulnerable apps, 5:31p.m., December 21, 2021 (Update)

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Log4Shell is a 0-day vulnerability in the Log4j Java library that allows attackers to download and run scripts on targeted servers, leaving them open to complete remote control. After a user posted a proof-of-concept (PoC) on Twitter, Bitdefender’s honeypots started to register attacks using the PoC, underlining just how severe this vulnerability is.

Log4j is not just another Java library. It’s embedded in servers and services from all over the world, used by companies such as Apple, Amazon, Cloudflare, Steam, various Apache server types, ElasticSearch, and many others.

As 0-day vulnerabilities go, Log4Shell (CVE-2021-44228) has a 10/10 rating, which means that attackers can remotely exploit it without any input from the victim, and it doesn’t require high-level technical expertise to pull it off.

The Apache Software Foundation issued an emergency patch, and now Log4j 2.15.0 is available to everyone.

Get the Log4j 2.15.0 Patch Now

“JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default,” explain the developers in the release notes.

It’s difficult to estimate the massive impact Log4Shell will have because historically patches (even for high-severity threats) take time for everyone to apply, if ever. We commonly see attacks successfully executed using fixed vulnerabilities that are two or three years old.

Immediately after the Log4Shell PoC was released, adversaries started scanning the Internet, looking for vulnerable targets. Bitdefender honeypots are seeing attackers trying to compromise different web services. The number of total scans using Log4Shell has increased three-fold in a single day meaning we most likely are just at the beginning. While most scans don’t have a particular target, around 20 percent of the attempts seem to search for vulnerable Apache Solr services.

When Bitdefender’s global honeypot network experiences a marked spike in activity, it usually means attackers are actively looking for ways to weaponize a newly discovered vulnerability as soon as possible. Most of the scans we are seeing now are coming from Russia-based IP addresses.

Bitdefender recommends all companies using the Log4j library upgrade as soon as possible to the latest version. The traffic generated in the honeypots indicates that attackers know about the vulnerability and how widespread the library is. We believe we’re witnessing only the start of a very long campaign.

Author: Silviu STAHIE for Bitdefender