Operator dossier

medusalocker is a ransomware operator currently active on public leak sites. Darkfield has indexed 67 public victims claimed by this operator between November 15, 2022 and May 5, 2026. MedusaLocker is a ransomware group that emerged in November 2022, operating with primarily financial motivations and targeting organizations across multiple sectors including technology, energy, healthcare, and manufacturing. The group's origin and specific affiliations remain largely undocumented in public threat intelligence reports, though their operational patterns suggest they may operate as part of the broader ransomware-as-a-service ecosystem that has proliferated in recent years. With 51 documented victims primarily concentrated in the United States, United Arab Emirates, Germany, Canada, and Antigua and Barbuda, MedusaLocker appears to focus on opportunistic targeting rather than specific geographic or sectoral specialization. The group's attack methodology and specific technical capabilities have not been extensively documented by major threat intelligence organizations, though their targeting of critical infrastructure sectors including healthcare and energy suggests they likely employ common ransomware tactics such as network encryption and potential data exfiltration. No major high-profile attacks or significant law enforcement disruptions against MedusaLocker have been publicly reported by CISA, FBI, or other major security agencies. The current operational status of MedusaLocker remains unclear due to limited public documentation, though the relatively recent emergence date suggests the group may still be active or have transitioned to other operations.

Most-targeted sectors

Not Found4 victims
Technology2 victims
Energy2 victims
Healthcare1 victims
Manufacturing1 victims
Business Services1 victims

Most-affected countries

US4 victims
AE1 victims
DE1 victims
CA1 victims
AG1 victims

How we know this. Operator profiles on Darkfield are built from continuous monitoring of every leak site the group is known to operate, cross-correlated with community-curated feeds (RansomLook, ransomware.live, RansomWatch, MISP-galaxy). Status flips from active to inactive when no new disclosure appears for 60 days. MITRE ATT&CK mappings shown in the interactive section below are sourced from CISA, vendor analysis, and the MITRE community catalog — we attribute each technique back to its source. Aliases reflect operator re-brands and affiliate splits.

Active ransomware operator

← All groups

medusalocker

67 victims indexed · first seen 4 years ago · last activity 15 days ago

Victims indexed

#92 of 348 tracked operators

3y 6m

Active period

Nov 2022 → May 2026

Countries hit

top US · 4

At a glance

Status: active
First seen: 4 years ago
Last activity: 15 days ago
Primary sector: Not Found · 4 hits

About

MedusaLocker is a ransomware group that emerged in November 2022, operating with primarily financial motivations and targeting organizations across multiple sectors including technology, energy, healthcare, and manufacturing. The group's origin and specific affiliations remain largely undocumented in public threat intelligence reports, though their operational patterns suggest they may operate as part of the broader ransomware-as-a-service ecosystem that has proliferated in recent years. With 51 documented victims primarily concentrated in the United States, United Arab Emirates, Germany, Canada, and Antigua and Barbuda, MedusaLocker appears to focus on opportunistic targeting rather than specific geographic or sectoral specialization. The group's attack methodology and specific technical capabilities have not been extensively documented by major threat intelligence organizations, though their targeting of critical infrastructure sectors including healthcare and energy suggests they likely employ common ransomware tactics such as network encryption and potential data exfiltration. No major high-profile attacks or significant law enforcement disruptions against MedusaLocker have been publicly reported by CISA, FBI, or other major security agencies. The current operational status of MedusaLocker remains unclear due to limited public documentation, though the relatively recent emergence date suggests the group may still be active or have transitioned to other operations.

References

2 links

External sources curated by the MISP threat-intel community.

Timeline

16 months

2022-11-01T00:00:00+00:002025-11-01T00:00:00+00:00

Top countries

🇺🇸 US

🇦🇪 AE

🇩🇪 DE

🇨🇦 CA

🇦🇬 AG

🇭🇺 HU

🇮🇩 ID

🇯🇴 JO

US dossier →AE dossier →DE dossier →CA dossier →

Top sectors

Not Found

Technology

Energy

Healthcare

Manufacturing

Business Services

Hospitality and Tourism

Not Found dossier →Technology dossier →Energy dossier →Healthcare dossier →

MITRE ATT&CK

4 techniques · 4 tactics

Tactics

Initial AccessExecutionDefense EvasionImpact

Techniques

T1566Phishing
T1059Command and Scripting Interpreter
T1027Obfuscated Files or Information
T1486Data Encrypted for Impact

Recent victims

Loading…

Source

Updated 15 days ago

Data on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.