MedusaLocker Ransomware Removal Guide

MedusaLocker Ransomware is a malicious application that encrypts files and marks them with one of the following extensions: .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, .skynet. Afterward, a victim should notice a file that displays a ransom note on a browser upon its launch. The message should state that all files were locked, and the only thing that can decrypt them is a unique decryptor. Of course, the tool does not come for free, as the ransom note ought to mention about having to make a payment. No matter what the hackers may say in the malware’s message, we do not think it would be smart to trust them. If you think so as well, we advise not to do as told but to erase MedusaLocker Ransomware. To learn more about the malware and how it works, you should read our full report. A bit below the article, you can find instructions on how to eliminate the threat manually if you feel up to such a task. If not, we encourage using a reliable security tool.

There is no information on how MedusaLocker Ransomware could be spread yet. However, our experience with such threats tells us that the malware could be traveling with email attachments distributed via Spam or suspicious files from file-sharing websites or unreliable advertisements. Usually, what we advise to avoid such malicious applications is to stay away from data that you do not know to be reliable for sure. When you are in doubt, you should scan files received or downloaded from the Internet with a reliable antimalware tool. If it detects anything malicious, you would know, and, most importantly, you could get rid of data identified as dangerous safely with the help of your security tool.

If MedusaLocker Ransomware enters a system, it should create a copy of its launcher in the %APPDATA% location. This copy might be called svchostt.exe, which looks similar to a legit fie called svchost. However, the fact it is in a wrong directory and misspelled should raise a suspicion about this file. What’s more, the malicious application was also noticed to create a task in the %WINDIR%\System32\Tasks directory. The task should be called svchostt. It might make victims’ devices load MedusaLocker Ransomware once a day or every few hours. Our researchers say that if the malware gets launched over and over again, it is possible that it could encrypt new data every time it is relaunched. As you see, while running, the infection encrypts a victim’s files with a secure encryption algorithm. Consequently, files become unreadable and cannot be unlocked without a special decryptor.

Furthermore, the malware does not just encrypt files as it should also create a file called HOW_TO_RECOVER_DATA.html that shows a ransom note if it is opened. The note should be displayed on a browser, and it ought to contain a message from four paragraphs. Mainly, the text explains what happened to encrypted files that should be marked with the .encrypted, .bomber, .boroff, or some other second extension. It also explains a user has a chance to purchase a unique decryptor that could restore all files to the way they were before encryption.

The problem is that victims are asked to pay first, and despite the guarantees mentioned in the ransom note, there are still no reassurances that hackers will deliver promised decryptors. If you do not trust them either and do not want to risk your money, we advise ignoring the ransom note. It is essential to remember if you have any backup copies that you could use to replace files that got encrypted. Of course, it would be safer to do so after the malware is erased, and your system is clean. You could eliminate MedusaLocker Ransomware with a chosen antimalware tool or by completing steps available below.

Get rid of MedusaLocker Ransomware

1. Tap Ctrl+Alt+Delete.
2. Pick Task Manager.
3. Select the Processes tab.
4. Look for a process associated with the malware.
5. Select the process and click End Task.
6. Leave Task Manager.
7. Tap Win+E.
8. Go to these locations:
   %TEMP%
   %USERPROFILE%\Downloads
   %USERPROFILE%\Desktop
9. Find the malicious file opened before the system got infected, right-click it, and select Delete.
10. Locate this path: %APPDATA%
11. Find a file called svchostt.exe, right-click it, and select Delete.
12. Go to the following path: %WINDIR%\System32\Tasks
13. Locate a task titled svchostt, right-click it, and choose Delete.
14. Close File Explorer.
15. Tap Win+R.
16. Type Regedit and click Enter.
17. Go to: HKCU\Software
18. Locate a key called Medusa, right-click it, and select Delete.
19. Close Registry Editor.
20. Empty Recycle Bin.
21. Restart the computer.