Infected (MedusaLocker) Ransomware Will Lock Victim Systems

While analyzing new malware samples, researchers have come across a ransomware variant from the MedusaLocker family, which they've named "Infected." This ransomware operates by encrypting files and appending the ".infected" extension to their names. Additionally, it leaves a ransom note titled "HOW_TO_BACK_FILES.html."

To illustrate how Infected alters file names when it encrypts them, for instance, "1.jpg" becomes "1.jpg.infected," and "2.png" is transformed into "2.png.infected."

The ransom note communicates that the victim's crucial files have been encrypted. It emphasizes that these files, though locked, remain safe but have undergone encryption using a combination of RSA and AES methods. The note explicitly warns against any attempts to recover these files using third-party software, as such attempts would lead to permanent corruption. It also advises against altering or renaming the encrypted files.

The note asserts that only the ransomware operators can resolve the issue, stating that no third-party software can assist in this matter. Furthermore, it mentions the collection of highly confidential or personal data, which is stored on a private server. If the victim chooses not to pay the ransom, this data will either be made public or sold to a reseller, thereby becoming publicly accessible.

The note provides contact details for reaching out to the operators, including a Tor-based URL for communication. It offers instructions on how to access the Tor network and engage in a chat with them. Additionally, it provides email addresses (ithelp02@securitymy.name and ithelp02@yousheltered.com) for communication.

The ransom amount is subject to increase if the victim does not establish contact with the operators within 72 hours, adding a time-sensitive aspect to the situation.

Infected Threatens to Increase Ransom in Three Days

The full text of the Infected ransom note reads as follows:

YOUR PERSONAL ID:

YOUR COMPANY NETWORK HAS BEEN PENETRATED
All your important files have been encrypted!

Your files are safe! Only modified. (RSA+AES)

ANY ATTEMPT TO RESTORE YOUR FILES WITH THIRD-PARTY SOFTWARE
WILL PERMANENTLY CORRUPT IT.
DO NOT MODIFY ENCRYPTED FILES.
DO NOT RENAME ENCRYPTED FILES.

No software available on internet can help you. We are the only ones able to
solve your problem.

We gathered highly confidential/personal data. These data are currently stored on
a private server. This server will be immediately destroyed after your payment.
If you decide to not pay, we will release your data to public or re-seller.
So you can expect your data to be publicly available in the near future..

We only seek money and our goal is not to damage your reputation or prevent
your business from running.

You will can send us 2-3 non-important files and we will decrypt it for free
to prove we are able to give your files back.

Contact us for price and get decryption software.

qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
Note that this server is available via Tor browser only

Follow the instructions to open the link:

1. Type the addres "hxxps://www.torproject.org" in your Internet browser. It opens the Tor site.
2. Press "Download Tor", then press "Download Tor Browser Bundle", install and run it.
3. Now you have Tor browser. In the Tor Browser open qd7pcafncosqfqu3ha6fcx4h6sr7tzwagzpcdcnytiw3b6varaeqv5yd.onion
4. Start a chat and follow the further instructions.
   If you can not use the above link, use the email:
   ithelp02@securitymy.name
   ithelp02@yousheltered.com

To contact us, create a new free email account on the site: protonmail.com
IF YOU DON'T CONTACT US WITHIN 72 HOURS, PRICE WILL BE HIGHER.

How Can Ransomware Like Infected Get on Your System?

Ransomware like Infected can infiltrate your system through various means. Here are some common ways that ransomware can get onto your computer:

• Phishing Emails: Phishing emails are one of the most common delivery methods for ransomware. Cybercriminals send deceptive emails that appear to be from a legitimate source, but they contain malicious attachments or links. When you open the attachment or click the link, it can download and execute the ransomware on your system.
• Malicious Websites: Visiting malicious or compromised websites can also lead to ransomware infections. These websites may exploit vulnerabilities in your web browser or plugins to download and install ransomware without your knowledge or consent.
• Drive-By Downloads: Ransomware can be delivered through "drive-by downloads" where malware is automatically downloaded and installed on your system when you visit a compromised or malicious website. This typically happens without any user interaction.
• Malvertising: Cybercriminals may use malicious advertisements (malvertising) on legitimate websites to distribute ransomware. Clicking on these ads can trigger the download and installation of ransomware.
• Software Vulnerabilities: Outdated or unpatched software can be exploited by ransomware. If your operating system or applications have known vulnerabilities that haven't been patched, attackers can exploit them to gain access to your system and deploy ransomware.
• Untrusted Downloads: Downloading software, files, or torrents from untrusted or unofficial sources can be risky. Some downloads may be bundled with ransomware or other malware, so it's important to only download from reputable sources.
• USB Drives and External Devices: Ransomware can spread through infected USB drives or external devices. If you connect a device that contains ransomware to your computer, it can quickly infect your system.