Active ransomware operator
← All groupsmedusalocker
78 victims indexed · first seen 4 years ago · last activity 8 days ago
At a glance
- Status
- active
- First seen
- 4 years ago
- Last activity
- 8 days ago
- Primary sector
- Not Found · 15 hits
About
References
2 linksExternal sources curated by the MISP threat-intel community.
Timeline
17 monthsTop countries
Top sectors
MITRE ATT&CK
20 techniques · 8 tacticsTactics
Techniques
- T1190Exploit Public-Facing Application
- T1566.001Phishing: Spearphishing Attachment
- T1059.001Command and Scripting Interpreter: PowerShell
- T1059.003Command and Scripting Interpreter: Windows Command Shell
- T1204.002User Execution: Malicious File
- T1112Modify Registry
- T1562.001Impair Defenses: Disable or Modify Tools
- T1490Inhibit System Recovery
- T1070.004Indicator Removal: File Deletion
- T1027Obfuscated Files or Information
- T1083File and Directory Discovery
- T1082System Information Discovery
- T1135Network Share Discovery
- T1021.001Remote Services: Remote Desktop Protocol
- T1021.002Remote Services: SMB/Windows Admin Shares
- T1039Data from Network Shared Drive
- T1041Exfiltration Over C2 Channel
- T1486Data Encrypted for Impact
- T1489Service Stop
- T1491.001Defacement: Internal Defacement
Recent victims
Loading…
Source
Updated 8 days agoData on this page is sourced from the group's own leak posts, cross-checked with public ransomware trackers (RansomLook, ransomware.live, RansomWatch), MITRE ATT&CK, and our own Tor and Telegram crawlers. This is a public observatory page — share freely.
Get alerted the next time medusalocker posts a victim.
Add medusalocker to your watchlist — Pro pings you within 5 minutes of any new medusalocker leak-site post, Telegram callout, or affiliate-rebrand inference.

