{"id":57285,"date":"2024-10-03T13:23:14","date_gmt":"2024-10-03T13:23:14","guid":{"rendered":"https:\/\/packetstormsecurity.com\/news\/view\/36428\/Ransowmare-Crew-Infects-100-Orgs-Monthly-With-New-MedusaLocker-Variant.html"},"modified":"2024-10-03T13:23:14","modified_gmt":"2024-10-03T13:23:14","slug":"ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\/","title":{"rendered":"Ransowmare Crew Infects 100+ Orgs Monthly With New MedusaLocker Variant"},"content":{"rendered":"<p><span class=\"label\">Exclusive<\/span> An extortionist armed with a new variant of MedusaLocker ransomware has infected more than 100 organizations a month since at least 2022, according to Cisco Talos, which recently discovered a &#8220;substantial&#8221; Windows credential data dump that sheds light on the criminal and their victims.<\/p>\n<p>The miscreant, whom Talos has dubbed &#8220;PaidMemes,&#8221; uses a recent MedusaLocker variant called &#8220;BabyLockerKZ,&#8221; and inserts the words &#8220;paid_memes&#8221; into the malware plus other tools used during the attacks.<\/p>\n<p>In research published today and shared exclusively with <em>The Register<\/em>, the threat intel group asserts, &#8220;with medium confidence,&#8221; that PaidMemes is financially motivated and working as an initial access broker or ransomware cartel affiliate, attacking a ton of businesses arond the globe for at least the last two years.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>The extortionist&#8217;s earlier victims in October 2022 were primarily in Europe \u2013 France, Germany, Spain, and Italy made up the bulk of their activity.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>Then, during the second quarter of 2023, the attack volume per month nearly doubled, and the focus shifted to Central and South America, with Brazil being the most heavily targeted, followed by Mexico, Argentina, and Colombia.<\/p>\n<h3 class=\"crosshead\">&#8216;Opportunistic&#8217; extortionist attacks across industries, regions<\/h3>\n<p>Victims have also been located in the US, UK, Hong Kong, South Korea, Australia, and Japan, we&#8217;re told. Talos isn&#8217;t revealing the exact numbers per country, other than to say that PaidMemes infected around 200 unique IPs per month until the first quarter of 2024. At that point, the attacks decreased.<\/p>\n<p>&#8220;We&#8217;re not done reviewing the data,&#8221; Talos head of outreach Nick Biasini told <em>The Register<\/em> in an exclusive interview. &#8220;We want to make sure that we&#8217;re not exposing anybody that could potentially be a victim \u2013 that&#8217;s a big concern of ours.&#8221;<\/p>\n<p>These victims span multiple industries, with the attacker seeming to prey heavily on small and medium-sized businesses, according to Biasini, who said the dumped dataset suggests that &#8220;at least some portion of the ransomware landscape is incredibly opportunistic.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>In one instance, the attacker broke into a company with a single employee and demanded a ransom payment.<\/p>\n<p>&#8220;They&#8217;re not going after specific targets,&#8221; he added. &#8220;This is very opportunistic.&#8221;<\/p>\n<p>The attacker isn&#8217;t pocketing multimillion-dollar payouts either. &#8220;These are $30,000, $40,000, $50,000 payouts that they are getting from these small businesses,&#8221; Biasini said.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>While previous MedusaLocker affiliates have broken into victim environments <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa22-181a\">using<\/a> vulnerable Remote Desktop Protocol (RDP) configurations and phishing campaigns, it&#8217;s unclear how PaidMemes gains access to the compromised orgs.<\/p>\n<p>&#8220;We have absolutely no visibility into that. All we have is the credentials that we saw dumped that were coming out of the tooling that they were using,&#8221; Biasini said. &#8220;They were running this tool on systems that they compromised, and that tool would gather credentials and dump it out to a remote server that was open.&#8221;<\/p>\n<h3 class=\"crosshead\">PaidMemes&#8217; tools of the trade<\/h3>\n<p>The tools that the attacker uses, we&#8217;re told, are mostly wrappers around publicly available network scanners, malware to disable antivirus or endpoint detection and response software, Mimikatz to dump Windows user credentials from memory, and other freely available code.<\/p>\n<p>One of these tools, &#8220;Checker,&#8221; bundles several others such as Remote Desktop Plus, PSEXEC, and Mimikatz, along with a GUI for credential management to help with lateral movement.<\/p>\n<p>There&#8217;s another wrapper called Mimik that combines Mimikatz and rclone to steal credentials and upload them to an attacker-controlled server.<\/p>\n<p>&#8220;This is something that you would typically see out of sysadmins,&#8221; Biasini said. &#8220;If they&#8217;re doing activities, they&#8217;re bringing scripts, they&#8217;re bringing these packed-together, stitched-together things that allow them to do their job more quickly and effectively.&#8221;<\/p>\n<p>So, like sysadmins, but &#8220;with a malicious slant: to gain access, or the data that they&#8217;re trying to get out of these networks.&#8221;<\/p>\n<p>The criminal also tends to use compromised computers&#8217; Music, Pictures or Documents folders to store the attack tools.<\/p>\n<p>In one of the BabyLockerKZ attacks, the Checker tool had a PDB path with the string &#8220;paid_memes,&#8221; and that string allowed Talos to identify other files on VirusTotal, which were primarily the ransomware samples.<\/p>\n<h3 class=\"crosshead\">New MedusaLocker variant<\/h3>\n<p>The main payload, of course, is the data-encrypting malware, which Talos believes has been around since 2023. Cynet researchers last year dubbed this MedusaLocker variant &#8220;<a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.cynet.com\/blog\/dynamic-analysis-hazard-ransomware\/\">Hazard<\/a>,&#8221; and mention a BabyLockerKZ registry key in their analysis.<\/p>\n<p>More recently, Whitehat <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/whitehat.eu\/medusalocker-ransomware-part-2\/\">revealed<\/a> PAIDMEMES PUBLIC and PRIVATE registry keys on a MedusaLocker sample in May.<\/p>\n<p>Note, MedusaLocker is not the same malware family as Medusa ransomware.<\/p>\n<p>When it comes to protecting against ransomware crews, the challenge is especially &#8220;daunting&#8221; to small and medium-sized businesses, Biasini said. &#8220;MFA and SSO are the kind of things that help deter this type of access, but the cost associated with deploying this type of technology is extraordinarily high.&#8221;<\/p>\n<p>Plus, it&#8217;s unlikely that these organizations have cyber insurance that will pay the extortion demands.<\/p>\n<p>&#8220;I would guess that small and medium businesses are going to make a bigger and bigger chunk of ransomware activity going forward,&#8221; he opined. &#8220;The larger organizations are getting better at detecting ransomware, they&#8217;re getting better at defending themselves, these small and medium businesses are being left behind, and the ransomware actors still want a payday.&#8221; \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/packetstormsecurity.com\/news\/view\/36428\/Ransowmare-Crew-Infects-100-Orgs-Monthly-With-New-MedusaLocker-Variant.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[60],"tags":[9690],"class_list":["post-57285","post","type-post","status-publish","format-standard","hentry","category-packet-storm","tag-headlinehackermalwarecybercrimecryptography"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Ransowmare Crew Infects 100+ Orgs Monthly With New MedusaLocker Variant 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ransowmare Crew Infects 100+ Orgs Monthly With New MedusaLocker Variant 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2024-10-03T13:23:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Ransowmare Crew Infects 100+ Orgs Monthly With New MedusaLocker Variant\",\"datePublished\":\"2024-10-03T13:23:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\\\/\"},\"wordCount\":866,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"keywords\":[\"headline,hacker,malware,cybercrime,cryptography\"],\"articleSection\":[\"Packet Storm\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\\\/\",\"name\":\"Ransowmare Crew Infects 100+ Orgs Monthly With New MedusaLocker Variant 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2024-10-03T13:23:14+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"headline,hacker,malware,cybercrime,cryptography\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/headlinehackermalwarecybercrimecryptography\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Ransowmare Crew Infects 100+ Orgs Monthly With New MedusaLocker Variant\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Ransowmare Crew Infects 100+ Orgs Monthly With New MedusaLocker Variant 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\/","og_locale":"en_US","og_type":"article","og_title":"Ransowmare Crew Infects 100+ Orgs Monthly With New MedusaLocker Variant 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2024-10-03T13:23:14+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Ransowmare Crew Infects 100+ Orgs Monthly With New MedusaLocker Variant","datePublished":"2024-10-03T13:23:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\/"},"wordCount":866,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","keywords":["headline,hacker,malware,cybercrime,cryptography"],"articleSection":["Packet Storm"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\/","url":"https:\/\/www.threatshub.org\/blog\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\/","name":"Ransowmare Crew Infects 100+ Orgs Monthly With New MedusaLocker Variant 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2024-10-03T13:23:14+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/research&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Zv6tWdLKBFgr2WSMoEjofAAAAAQ&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/ransowmare-crew-infects-100-orgs-monthly-with-new-medusalocker-variant\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"headline,hacker,malware,cybercrime,cryptography","item":"https:\/\/www.threatshub.org\/blog\/tag\/headlinehackermalwarecybercrimecryptography\/"},{"@type":"ListItem","position":3,"name":"Ransowmare Crew Infects 100+ Orgs Monthly With New MedusaLocker Variant"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57285","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=57285"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/57285\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=57285"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=57285"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=57285"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}