Skip to main content

Home Medusa ransomware

Medusa ransomware

Also known as: MedusaLocker, AKO Ransomware, AKO Doxware, MedusaReborn

Category: Malware

Type: Ransomware, Ransomware-as-a-Service (RaaS)

Platform: Windows

Variants: MedusaLocker with .txt ransom note and MedusaLocker with .html ransom note

Damage potential: Inaccessible files, data loss, ransom demands, financial damage, operational disruption


MedusaLocker is malicious software that encrypts files on a victim’s computer and demands payment in cryptocurrency to restore access to those files. Medusa ransomware is typically downloaded onto a victim’s network via an attachment or a link in an email or through vulnerabilities in the Remote Desktop Protocol (RDP). This ransomware was first detected in 2019 and is known to target individuals and institutions alike.

Possible symptoms

The following may indicate a MedusaLocker infection:

  • Inaccessible files.
  • File names with unfamiliar extensions such as “.datalock,” “.lockfiles,” “.marlock01,” or “.locker16.”
  • A ransom note detailing how to connect with MedusaLocker threat actors to complete payment.

Sources of the infection

Like many types of ransomware, MedusaLocker spreads through malicious links and attachments in phishing emails, compromised websites, vulnerabilities in outdated software, and open RDP ports on your computer or server.


Use the following techniques to avoid a MedusaLocker infection:

  • Be cautious about opening email attachments or clicking links from unknown or suspicious sources.
  • Keep your operating system and all software up to date.
  • Install and regularly update reliable antivirus or antimalware solutions.
  • Block malicious websites and scan downloaded files for malware with NordVPN’s Threat Protection feature.
  • Back up important data in a secure offline location or on a separate network.
  • Use firewalls to block malicious traffic and monitor network activity.


Keep in mind that paying the ransom doesn’t guarantee the recovery of your files and might encourage further criminal activity. Instead, follow these steps to remove MedusaLocker from your system:

  • Isolate the infected device: Disconnect the infected device from the network to avoid further damage.
  • Use antivirus software: Run a full system scan using reputable antivirus software to detect and remove MedusaLocker.
  • Restore from backups: Once the removal is done, restore your data from a clean backup.
  • Update your system: Be sure that your operating system and all software are updated to fix any vulnerabilities.
  • Implement stronger security measures: Re-evaluate your online security practices and switch to stronger measures to protect yourself from future infections.

If you’re not confident in handling the removal yourself, make sure to get help from cybersecurity professionals.