A new version of the Medusa botnet, based on Mirai code, has been spotted in the wild. It features a ransomware module and a Telnet brute-forcer, along with DDoS capabilities.

Medusa botnet was first spotted in 2015, being advertised in the darknet markets. In 2017, it was updated with HTTP-based DDoS capabilities and the new version is an extension of the old with additional features to ensnare more devices.

What’s the update?

  • The latest version inherits Linux targeting capabilities and expands DDoS attack options borrowed from the leaked source of the Mirai botnet. 
  • Furthermore, the botnet is now promoted as a Malware-as-a-Service (MaaS) for DDoS and cryptocurrency mining.
  • The new version of Medusa features a data exfiltration tool, however, it does not steal user files before encryption. Instead, it collects system information needed for mining and DDoS attacks. 

Addiinig ransomware module

The most critical aspect of this new botnet variant is that it includes a ransomware function that enables it to search directories for specific file types for encryption.
  • The list of target file types includes mainly documents and vector design files. 
  • These files are encrypted using the AES 256-bit algorithm and the .medusastealer extension is appended to them. 
  • However, the encryption method appears to be broken, due to which all files get deleted from the system drives. 
  • Only after deleting files, it displays a note that asks for 0.5BTC in ransom payment.  


The encryption error in the new Medusa variant indicates that it is still under development. Moreover, the final payload has incomplete support for various malicious commands. As threat actors continue to evolve the botnet, it is likely that more sophisticated attacks will be seen in the future.
Cyware Publisher