What is Meduza ransomware? And how does it implement its attack?
Meduza ransomware is a crypto-virus designed to encode files in a compromised PC, denying victims access to their important data. According to security experts, it could be related to Greystar ransomware as they both have the same ransom note as well as email address. And just like Greystar ransomware, once it infects a computer, this newly discovered crypto-virus will implement a series of malicious tasks. It starts by dropping malicious files in system folders. These files are the ones used to ensure that not a single program installed in the computer can interfere with its attack. Meduza ransomware also modifies some entries in the Windows Registry in order to run automatically in every system startup. It then looks for its targeted files and encrypts them using a sophisticated cryptography. After the encryption, it drops a file named “How-To-Recover-Your-Files.html” that contains the following message:
“All your files have been encrypted!
How to recover your files?
All your files have been encrypted by RSA and AES due to a security problem on your PC.
You have to pay for decryption of Bitcoins.
If you want to restore them. You must send 0.08 bitcoin to my bitcoins address 1JnRP8UsTDLRjzCTaJXYPr5oYkKc7bLY2Q.
After payment, we will send you the decryption tool that will decrypt all your files.
Please write us to the email
Your decrypt code is [redacted] Please write the decrypted code in the title of your email message. And don’t forget to write the transfer accounts info.
How to obtain Bitcoins?
The easiest way to buy bitcoins is LocalBitcoins site. You have to register. Click “Buy Bitcoins.”And select the seller by payment method and price.
The Web Site address is https://localbitcoins.com/,or other websites.
1. Do not rename encrypted files.
2. Do not try to decrypt your data using third party software.It may cause permanent data loss.”
At the time of writing, it isn’t clear yet if it really employs both the AES and RSA ciphers in encrypting files despite its claims in its ransom note. On the other hand, no matter what cipher is uses in encrypting files, paying the ransom it demands is certainly not recommended.
How does Meduza ransomware proliferate?
Just like Greystars ransomware, Meduza ransomware proliferates using spam emails. The crooks behind this ransomware threats attach an infected file in spam emails. These malware-laden emails are often in disguise to make them look like they were sent by some well-known company or group to lure users in opening the email and downloading the attached malicious payload. If opened, it will automatically launch Meduza ransomware into the system. Thus, you need to be more cautious in opening emails and make sure to double check them before you open any attachments.
To kill Meduza ransomware from your computer, be sure to follow the removal instructions below.
Step 1: Tap Ctrl + Shift + Esc keys to launch the Task Manager.
Step 2: Go to Processes and look for the malicious process of Meduza ransomware then right click on it and select End Process or End Task.
Step 3: Close the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 4: Look for dubious programs that might be related to Meduza ransomware and then Uninstall it/them.
Step 5: Tap Win + E to launch File Explorer.
Step 6: After opening File Explorer, navigate to the following directories below and look for malicious components of Meduza ransomware such as How-To-Recover-Your-Files.html and [random].exe then remove them all.
Step 7: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name], this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 8: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 9: Navigate to the listed paths below and look for the registry keys and sub-keys created by Meduza ransomware.
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
Step 10: Delete the registry keys and sub-keys created by Meduza ransomware.
Step 11: Close the Registry Editor.
Step 12: Empty your Recycle Bin.
Restore the previous state of your files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if Meduza ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
To ensure the removal of Meduza ransomware from your system including the malicious components it has created on your system, follow the advanced steps below.
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.
- After the scan is completed click the “Fix, Clean & Optimize Now”button.