Meduza Ransomware

The Meduza Ransomware is an encryption ransomware Trojan uncovered on July 9, 2018. The Meduza Ransomware is delivered in a way typical of these threats, in the form of a Microsoft Word file with corrupted embedded macro scripts. The victims of the Meduza Ransomware attack will have received a spam email message with a subject and body designed to trick the victim into downloading an attached DOCX file which, when accessed, installs the Meduza Ransomware on the victim's computer.

How the Meduza Ransomware Carries Out Its Attack

Once the Meduza Ransomware has infiltrated the victim's computer, the Meduza Ransomware will scan the victim's data in search for the user-generated files, which may include a wide variety of media files, documents, databases, and numerous other similar files. The following are examples of the files types that are typically encrypted in attacks like the Meduza Ransomware's:

.ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf, .bkp, .boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco, .oeb, .old, .qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn, .sec, .cer, .csr, .djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf, .xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw, .cf, .cfn, .tbn, .xcf, .xof, .key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx, .dwg, .dws, .dxe, .zip, .zipx, .7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb, .ldf, .accdc, .adp, .dbc, .dbx, .dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb, .kdb, .kdbx, .1cd, .dt, .erf, .lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab, .jif, .wor, .csv, .msg, .msf, .kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .dot.

The Meduza Ransomware will delete the Windows Shadow Volume Copies, and the System Restore points to prevent the victim from having alternatives to find their data, with the end goal of taking the victim's files in exchange for a ransom payment. The Meduza Ransomware marks the files encrypted by its attack with the file extension '[btc2018@tutanota.de].meduza' which it will add to the affected file's name.

The Meduza Ransomware’s Ransom Demand

The Meduza Ransomware delivers a ransom note in the form of an HTML file named 'How-To-Recover-Your-Files.html' dropped on the infected computer's desktop. The contents of the Meduza Ransomware ransom note are:

'All your files have been encrypted!
How to recover your files?
All your files have been encrypted by RSA and AES due to a security problem on your PC. You have to pay for decryption of Bitcoins.
If you want to restore them. You must send 0.08 bitcoin to my bitcoins address [Link]
After payment, we will send you the decryption tool that will decrypt all your files.
Please write us to the email btc2018@tutanota.de.
Your decrypt code is [ransom numbers]
Please write the decrypt code in the title of your email message. And don't forget to write the transfer accounts info.
Attention!
1.Do not rename encrypted files.
2.Do not try to decrypt your data using third party software.It may cause permanent data loss.'

Dealing with the Meduza Ransomware

Computer users are counseled to not contact the criminals via the advised email address nor paying the Meduza Ransomware ransom. Instead, they should take preventive measures. The best protection against threats like the Meduza Ransomware is to have file backups stored on external places, which can enable computer users to restore their data in the event of an attack. A security program will help the victims remove the Meduza Ransomware infection itself, although it may not be effective in restoring any files encrypted by the Meduza Ransomware's attack.