Follow on X RSS Feed
Ransomware

MedusaLocker Variant ETHAN Deploys Stronger Encryption and Data Theft

Cybersec Sentinel

3 min read
MedusaLocker Variant ETHAN Deploys Stronger Encryption and Data Theft

Threat Group: MedusaLocker
Threat Type: Ransomware
Exploited Vulnerabilities: No specific vulnerabilities identified; relies on common malware distribution methods
Malware Used: ETHAN Ransomware (variant of MedusaLocker)
Threat Score: High (9.0/10) – Due to its double-extortion tactics, data encryption capabilities, and impact on critical business operations.
Last Threat Observation: March 02, 2025

Overview

MedusaLocker “ETHAN” is a newly identified ransomware variant in the MedusaLocker family, first observed in early 2025. Upon infiltrating a Windows network, ETHAN encrypts files with a combination of RSA and AES cryptographic algorithms and appends the extension “.ETHAN” to each filename. It then drops a ransom note named READ_NOTE.html in affected directories and changes the desktop wallpaper on compromised machines. The ransom note warns that sensitive data has been exfiltrated and that the attackers will leak or sell the information if the ransom is not paid within 72 hours.

MedusaLocker operates as a Ransomware-as-a-Service (RaaS), allowing affiliates to distribute its payload. This model has enabled the threat to persist and evolve since its initial emergence in 2019. Threat analysts assess ETHAN as a high-severity threat due to its potent double-extortion tactics, widespread targeting across industries, and lack of available decryption tools. Organizations are urged to review the indicators of compromise and mitigation steps in this advisory to strengthen defenses against this ransomware variant.

Background and Evolution of MedusaLocker & ETHAN Variant

MedusaLocker ransomware was first observed in late 2019 and has actively targeted multiple sectors globally—including manufacturing, healthcare, finance, and IT services. It initially exploited the chaos of the COVID-19 pandemic for phishing campaigns and opportunistic attacks on exposed Remote Desktop Protocol (RDP) services. MedusaLocker is a RaaS platform, where developers distribute the malware to affiliates in exchange for a share (often ~40–45%) of any ransom paid.

Over time, various MedusaLocker “families” or strains have appeared, typically distinguished by ransom note filenames or file extensions they use. Earlier strains appended extensions like .encrypted or .lock and left notes such as HOW_TO_RECOVER_DATA.html. In recent years, MedusaLocker operators have adopted double-extortion tactics—stealing confidential data before encryption—to increase pressure on victims. The emergence of the ETHAN variant in 2025 underscores this ongoing evolution.

ETHAN is considered an advanced MedusaLocker offshoot, demonstrating enhanced evasion techniques and more aggressive extortion methods. It exclusively uses the .ETHAN extension and an HTML ransom note (READ_NOTE.html), which explicitly threatens data publication if the ransom is not paid. This mirrors a broader trend across ransomware groups to combine encryption with data leaks. Security researchers have also identified other contemporary MedusaLocker variants, such as BabyLockerKZ, which modifies persistence mechanisms and encryption routines to evade detection.

Attack Vectors

  • Initial Access: Exploited RDP vulnerabilities, weak credentials, and phishing emails with malware-laced attachments.
  • Privilege Escalation: Uses stolen admin credentials or exploits vulnerabilities to gain deeper access.
  • Propagation: Searches for network shares, mapped drives, and USB/removable drives to spread encryption.

Known Indicators of Compromise (IoCs)

File Hashes (SHA-256):

  • cf79a6123b5dcd28637d831f691c094fa0ec9b8cd8f751e125ef11579e2a710f

File Extensions:

  • .ETHAN (appended to encrypted files)

Ransom Note:

  • Filename: READ_NOTE.html
  • Contact Information: fortisram@zohomail.eu

System Modifications:

  • Registry keys for persistence, deletion of shadow copies, modification of wallpaper.

Mitigation and Prevention

  • User Awareness: Conduct regular training to recognize phishing attempts and suspicious attachments.
  • Email Filtering: Implement robust email filtering to block malicious attachments and links.
  • Antivirus Protection: Ensure up-to-date antivirus software is installed and active on all systems.
  • Two-Factor Authentication (2FA): Enforce 2FA to add an extra layer of security to user accounts.
  • Monitor Logs: Regularly review system logs for unusual activities that may indicate an infection.
  • Regular Updates: Keep all software and operating systems updated with the latest security patches.
  • Network Segmentation: Implement segmentation strategies to limit lateral movement.
  • Backup Strategy: Maintain offline backups, implement immutable storage, and test recovery plans regularly.

Risk Assessment

The ETHAN ransomware poses a significant threat due to its ability to encrypt critical files and exfiltrate sensitive data. The dual threat of data loss and potential public exposure of confidential information can lead to severe operational disruptions, financial losses, and reputational damage. Organizations relying heavily on Windows systems are particularly vulnerable and should assess their security measures to mitigate this risk.

Detection and Hunting Queries

Splunk (Example Query)

Note: You will need to customize this query to fit your specific indexes and source types.

index=* sourcetype=* (".ETHAN" OR "READ_NOTE.html" OR "fortisram@zohomail.eu") 
| stats count by host, file_name, process_name, user

Microsoft Sentinel (Example Query - KQL)

Note: Adjust the query for your specific table names and data structure.

let RansomwareIndicators = dynamic([".ETHAN", "READ_NOTE.html", "fortisram@zohomail.eu"]);
SecurityEvent 
| where EventID == 4663 
| where ObjectName has_any (RansomwareIndicators) 
| summarize count() by Computer, ObjectName, Account

These queries can help identify signs of ETHAN ransomware activity in log data. Ensure that your organization has appropriate logging and monitoring mechanisms in place to detect suspicious behavior early.

Conclusion

ETHAN ransomware represents a serious cybersecurity threat with its advanced encryption methods and data exfiltration tactics. Organizations must adopt a proactive approach, implementing comprehensive security measures and fostering a culture of awareness to defend against such sophisticated attacks.

Sources