MedusaLocker Ransomware Group Details Financial Motivation, Operational Shifts

Cyber News - Erez Dasa has published an exclusive interview with the MedusaLocker ransomware group, shedding light on their operations and motivations. The group clarified that ‘MedusaLocker’ is their official designation, while other names like BAGAJAI, BARADAI, locked, and blackheart refer to file extensions used to identify victims and apply correct decryption keys. They addressed questions about a previous MedusaLocker entity, stating their old site wasn’t updated due to software development and a new file manager for publishing data.

The group asserts a purely financial motivation, explicitly denying political aims. They claim to rigorously filter targets, avoiding organizations with social importance, such as welfare groups. In such cases, MedusaLocker states they notify the organization of the vulnerability free of charge. Ransom demands, typically ranging from $10,000 to $80,000, are based on assessing potential damage and data value, with the group indicating a willingness to negotiate. They view their activities, including encryption and data exfiltration, as a “reward for our work” and a consequence of organizational security shortcomings.

MedusaLocker confirmed they employ double extortion tactics, though they consider it part of a single attack chain. When full encryption isn’t feasible, they may opt for data exfiltration alone. If servers aren’t encrypted, ransom notes are delivered via email campaigns or phone calls. The group acknowledges the increasing pressure from law enforcement agencies like the FBI but views these actions as “understandable, logical, and predictable,” expressing concern primarily over “lies” rather than the pressure itself.