Medusabtc Ransomware
The singular goal of the MedusaBtc Ransomware threat is to lock the files of its victims and render them unusable. The affected files can be from a multitude of different file types - documents, PDFs, images, photos, audio, video, archives, databases, etc. Victims will no longer be able to access the encrypted data, while restoration without having the required decryption key is practically impossible. The attackers then try to extort money from the affected users by promising to send them the software tool and key needed to unlock the files.
When it comes to MedusaBtc Ransomware specifically, the threat is classified as a variant of the Xorist malware family. It appends '.medusabtc' to the names of all locked files and then proceeds to deliver two ransom notes to the infected system. Users will be presented with a pop-up window and a text file named 'HOW TO DECRYPT FILES.txt.' The message contained in both places is identical. The fact that the threat's ransom notes are written in Portuguese entirely is a clear indicator that the attackers are focused on countries speaking that particular language predominantly.
MedusaBtc Ransomware's Demands
According to the ransom notes, the hackers want to receive 'a small fee' in exchange for the decryptor tool and key. To get further details about the payment, users are instructed to contact the two provided email addresses - 'medusabtc@protonmail.com' and 'btcpaynow@protonmail.com.' The message must contain the ID string found in the ransom note. The hackers threaten that if the affected users leak the threat's ransom-demanding message or risk being blocked. Furthermore, victims are told that they must reach out to the hackers before the specific data that is mentioned in the note.
The full text in its original form is:
‘******* all your data has been encrypted *******
Todos arquivos estão criptografados se tornaram .medusabtc
a unica forma para arquivos/sistema voltar ao normal é
obter chave especial + decryptor
entre em contato com nossa equipe atraves dos dois emails com ID
vou te enviar chave especial + decryptor por apenas uma pequena taxa
e-mail: medusabtc@protonmail.com ID--
e-mail: btcpaynow@protonmail.com
obs:1 não há necessidade de formatar
2 não renomeie a extensão do arquivo,
3 não poste esta mensagem de resgate em nenhum site,
4 não delete os arquivos criptografados
este email é o único contato. se você postar a mensagem de resgate,
o e-mail será bloqueado e você não receberá a chave exclusiva.
contacte-nos em até 18/10/2021 não perca tempo’
