Genesis Ransomware is a MedusaLocker Clone

Our team has identified the Genesis ransomware, which belongs to the MedusaLocker ransomware family. This type of malicious software encrypts files and demands payment for their decryption.

During our testing, the Genesis (MedusaLocker) ransomware encrypted files on our test machine and added a ".genesis15" extension to their filenames (note that the number may vary depending on the variant of the program). For instance, a file originally named "1.jpg" was transformed into "1.jpg.genesis15," and "2.png" became "2.png.genesis15."

Upon completing the encryption process, the ransomware deposited a ransom note named "HOW_TO_BACK_FILES.html." The message in the HTML file indicates that Genesis (MedusaLocker) malware specifically targets companies rather than individual users. According to the note, the victim's company network has been compromised, and the encrypted files, secured using RSA and AES cryptographic algorithms, also had highly sensitive data extracted from the network.

The victim is warned that altering the affected files' names, making modifications, or using third-party recovery software could lead to permanent data loss. To initiate the decryption process, the victim is required to pay a ransom. Although the exact amount is not specified in the note, it is mentioned that contacting the attackers after 72 hours will result in an increased ransom.

Before making any payment, the victim has the option to test the decryption on three files. Failure to comply with the cybercriminal's demands may lead to the stolen data being sold or leaked.

Genesis Ransom Note Copies MedusaLocker

The full text of the Genesis ransom note reads as follows:

YOUR PERSONAL ID:

YOUR COMPANY NETWORK HAS BEEN PENETRATED
All your important files have been encrypted!

Your files are safe! Only modified. (RSA+AES)

ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE
WILL PERMANENTLY CORRUPT IT.
DO NOT MODIFY ENCRYPTED FILES.
DO NOT RENAME ENCRYPTED FILES.

No software available on internet can help you. We are the only ones able to
solve your problem.

We gathered highly confidential/personal data. These data are currently stored on
a private server. This server will be immediately destroyed after your payment.
If you decide to not pay, we will release your data to public or re-seller.
So you can expect your data to be publicly available in the near future..

We only seek money and our goal is not to damage your reputation or prevent
your business from running.

You will can send us 2-3 non-important files and we will decrypt it for free
to prove we are able to give your files back.

Contact us for price and get decryption software.

email:
assistant01@backup.capital
assistant01@decodezone.net

To contact us, create a new free email account on the site: protonmail.com
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

How is Ransomware Commonly Distributed Online?

Ransomware is commonly distributed online through various methods, exploiting vulnerabilities and unsuspecting users. Some common distribution methods include:

Phishing Emails: Cybercriminals often use phishing emails to deliver ransomware. These emails may contain malicious attachments or links that, when clicked, download and execute the ransomware on the victim's system. The emails are designed to trick users into opening the attachment or clicking the link, often by posing as legitimate entities or urgent messages.

Malicious Websites: Visiting compromised or malicious websites can expose users to drive-by downloads. In this scenario, malware, including ransomware, is automatically downloaded and executed on the user's system without their knowledge or consent. This method is often associated with websites hosting malicious content or exploiting software vulnerabilities.

Malvertising: Malicious advertising, or malvertising, involves placing malicious code in online advertisements. When users click on these ads, they may unknowingly download and install ransomware on their devices. Malvertising can occur on legitimate websites through compromised ad networks.

Drive-by Downloads: Cybercriminals may exploit vulnerabilities in software, browsers, or operating systems to initiate drive-by downloads. This method allows ransomware to be automatically downloaded and executed when a user visits a compromised or malicious website without any interaction required.

Watering Hole Attacks: In watering hole attacks, hackers target websites frequented by a specific group or industry. By compromising these websites with ransomware, attackers can infect the systems of individuals or organizations that visit those sites, leveraging the trust associated with the targeted sites.

Removable Media and Infected Software: Ransomware can spread through infected software downloads or malicious files on removable media such as USB drives. Users may unknowingly introduce ransomware to their systems by downloading compromised software or inserting infected external devices.