OlSaveLock Ransomware is a MedusaLocker Variant Targeting Random Files


During a routine analysis of new malicious files, our team of researchers discovered the OlSaveLock ransomware. This malicious software operates by encrypting data and demanding a ransom in exchange for decryption. Notably, OlSaveLock is a member of the notorious MedusaLocker ransomware family.

In our testing environment, OlSaveLock effectively encrypted files and added a distinct ".olsavelock31" extension to their original filenames. For instance, a file named "1.jpg" would appear as "1.jpg.olsavelock31," while "2.png" would become "2.png.olsavelock31," and so on. It is important to note that the specific number within the extension may vary depending on the variant of the ransomware. Additionally, OlSaveLock deposited a ransom note named "How_to_back_files.html" onto the desktop.

The content of the ransom note clearly indicates that OlSaveLock primarily targets large organizations rather than individual home users. According to the message, the victim's corporate network has been compromised. The extent of the damage is described as the encryption of crucial files utilizing RSA and AES cryptographic algorithms, along with the unauthorized extraction of sensitive and personal data.

The note states that paying the ransom is essential for decrypting the affected files and preventing the exposure or sale of the stolen information. Before making the payment, the victim is offered the opportunity to test the decryption process on three files that do not contain valuable data.

Although the specific amount of the ransom is not specified in the note, it is implied that the sum will increase if the victim fails to establish contact with the attackers within 72 hours. Furthermore, the victim is explicitly warned that any attempts to rename or modify the encrypted files, as well as the usage of third-party decryption tools, will result in permanent data loss.

OlSaveLock Ransom Note Threatens Ransom Hike in 72 Hours

The full text of the OlSaveLock ransom note reads as follows:


All your important files have been encrypted!

Your files are safe! Only modified. (RSA+AES)


No software available on internet can help you. We are the only ones able to
solve your problem.

We gathered highly confidential/personal data. These data are currently stored on
a private server. This server will be immediately destroyed after your payment.
If you decide to not pay, we will release your data to public or re-seller.
So you can expect your data to be publicly available in the near future..

We only seek money and our goal is not to damage your reputation or prevent
your business from running.

You will can send us 2-3 non-important files and we will decrypt it for free
to prove we are able to give your files back.

Contact us for price and get decryption software.


  • To contact us, create a new free email account on the site: protonmail.com

How is Ransomware Like OlSaveLock Usually Delivered onto the Victim System?

The delivery of ransomware like OlSaveLock onto victim systems typically involves various methods and techniques. Here are some common ways in which ransomware is commonly delivered:

  • Phishing Emails: Phishing emails remain a popular method for delivering ransomware. Attackers send seemingly legitimate emails with malicious attachments or links. These emails often impersonate reputable organizations, tricking recipients into opening attachments or clicking on links that download the ransomware onto their systems.
  • Malicious Downloads: Ransomware can also be delivered through malicious downloads from compromised websites or deceptive advertisements (malvertising). Visiting compromised websites or clicking on malicious ads can trigger the automatic download and execution of the ransomware payload.
  • Exploit Kits: Exploit kits are toolkits that take advantage of vulnerabilities in software or operating systems. By exploiting security weaknesses, they can silently deliver and install ransomware on vulnerable systems without user interaction. These vulnerabilities can be found in outdated software or unpatched systems.
  • Remote Desktop Protocol (RDP) Attacks: Attackers may target systems that have the Remote Desktop Protocol (RDP) enabled but have weak or easily guessable login credentials. They attempt to gain unauthorized access to the system and then deploy the ransomware.
  • Malicious Links and Websites: Ransomware can be distributed through malicious links shared via social media, instant messaging platforms, or compromised websites. Clicking on these links or visiting infected websites can trigger the download and execution of the ransomware.
  • Drive-by Downloads: Drive-by downloads occur when ransomware is automatically downloaded and installed without the user's knowledge or interaction while visiting a compromised or malicious website. Exploiting vulnerabilities in browsers or plugins, the ransomware is delivered stealthily.

It's important to note that these delivery methods can evolve and new techniques can emerge over time. To protect against ransomware attacks, it is crucial to maintain up-to-date security software, regularly apply patches and updates, exercise caution when opening email attachments or clicking on links, and implement strong access controls and security measures on systems and networks. Regular data backups and user education on recognizing and avoiding potential threats also play a crucial role in mitigating the impact of ransomware attacks.

May 18, 2023

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.