MedusaLocker Leaks Magnolia Data After Ransom Refusal

May 05, 2026 22:45 /MEDIUM

Written by SCW Threat Desk Threat Intelligence

SCW israel

MedusaLocker Leaks Magnolia Data After Ransom Refusal

The MedusaLocker ransomware group has publicly listed the Israeli company Magnolia as a victim. According to Cyber News - Erez Dasa, the group claims Magnolia refused to pay the demanded ransom.

In response, MedusaLocker has leaked approximately 38,000 files belonging to the company. This move is a typical double-extortion tactic, designed to pressure victims into payment by exposing sensitive data, even if systems are already recovered.

This incident underscores the critical importance of robust incident response plans that account for data exfiltration. Simply restoring backups is no longer sufficient; organizations must also contend with the reputational and legal fallout of public data exposure.

What This Means For You

If your organization handles sensitive data, you must assume exfiltration is part of any ransomware attack. Focus on data segregation, strong access controls, and continuous monitoring for suspicious outbound traffic. Rehearse your incident response plan to address data leak notification requirements and public relations.

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1486 Impact

MedusaLocker Ransomware Activity

Sigma YAML — free preview

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Written by SCW Threat Desk

Take action on this incident

🔍 Threat intel on Magnolia All breaches, IOCs & vendor exposure