Medusa Ransomware

7-day Free Trial w/Credit card, no charge upfront or if you cancel up to 2 days before expiration; Subscription price varies per region w/ auto renewal unless you timely cancel; notification before you are billed; 30-day money-back guarantee; Read full terms and more information about free remover.

*Source of claim SH can remove it.

Medusa Ransomware

Medusa is a malware version of the widespread Ransomware category and its goal is to prevent you from using your files. Medusa ransomware locks the victim’s files with encryption and threatens to never release them if the victims don’t pay a ransom. This is currently one of the most common forms of computer malware and every day thousands of users become new victims of Ransomware.The Ransomware category is different from most other forms of computer dangers in the way it achieves its goal. With most other viruses, one could expect some form of damage to the computer or the files, or some kind of data theft. Ransomware viruses don’t do any of that. Instead, their goal is to launch their encryption process and, with its help, lock up your files.

Medusa Ransomware
The Medusa ransomware infected files

Obviously, the idea behind this is to blackmail you for the release key that can set your files free. However, if none of the files are too important to you or if you have backups of them, then there won’t be any need for you to worry about the ransom payment.

One thing we must mention here, however, is that viruses like Medusa, Wwhu, Wwpl oftentimes don’t come alone and are instead introduced into the system via a Trojan horse that has already infected the targeted machine. This means that if Medusa is in your PC, it is not excluded that there may be a Trojan horse in there as well. Trojans, unlike Ransomware, can be very versatile threats and if you have one in your machine, all kinds of system damage and corruption might take place, so its best to check your computer for any such hidden threats if you have been attacked by Ransomware.

The Medusa virus

The Medusa virus is a computer infection that places impenetrable encryption on the victims’ files, keeping the affected data inaccessible. The Medusa virus encryption requires a key unique for each computer to be removed from the files so they can be accessed again.As was mentioned, the criminals behind the Ransomware would require you to pay for the matching decryption key but you are advised to refrain from going down this way. The chance of losing money and still not receiving a working decryption key is too high and it is, therefore, preferable if you first try some of the other available options.

Medusa virus
The Medusa virus will leave a !!!READ_ME_MEDUSA!!!.txt file with instructions

The Medusa file decryption

The Medusa file decryption is a software process that is supposed to release the files that have been locked. The Medusa file decryption requires the user to apply a special private key that is the only thing that can unlock the sealed data.

If you don’t initially have this key, the recovery of your data simply cannot be guaranteed. However, there are still several things you can try, other than paying the ransom. You will see what your options are in our guide, but you will first need to complete the removal section so that you can make sure that the virus doesn’t encrypt any more data on your computer.


NameMedusa Ransomware
Danger LevelHigh (Ransomware is by far the worst threat you can encounter)
SymptomsViruses like Medusa Ransomware might cause system slow-downs due to increased use of RAM and CPU time, but most users don’t have enough time to notice this and intercept the virus.
Distribution MethodPirated software that contains Trojan horse backdoors is one of the most commonly employed channels for distributing Ransomware.
Data Recovery ToolNot Available
Detection Tool

*Source of claim SH can remove it.

Remove Medusa Ransomware


Some of the steps will likely require you to exit the page. Bookmark it for later reference.

Reboot in Safe Mode (use this guide if you don’t know how to do it).



*Source of claim SH can remove it.

Press CTRL + SHIFT + ESC at the same time and go to the Processes Tab. Try to determine which processes are dangerous. 


Right click on each of them and select Open File Location. Then scan the files with our free online virus scanner:

Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
This scanner is free and will always remain free for our website's users.
This file is not matched with any known malware in the database. You can either do a full real-time scan of the file or skip it to upload a new file. Doing a full scan with 64 antivirus programs can take up to 3-4 minutes per file.
Drag and Drop File Here To Scan
Drag and Drop File Here To Scan
Analyzing 0 s
Each file will be scanned with up to 64 antivirus programs to ensure maximum accuracy
    This scanner is based on VirusTotal's API. By submitting data to it, you agree to their Terms of Service and Privacy Policy, and to the sharing of your sample submission with the security community. Please do not submit files with personal information if you do not want them to be shared.

    After you open their folder, end the processes that are infected, then delete their folders. 

    Note: If you are sure something is part of the infection – delete it, even if the scanner doesn’t flag it. No anti-virus program can detect all infections.


    Hold the Start Key and R –  copy + paste the following and click OK:

    notepad %windir%/system32/Drivers/etc/hosts

    A new file will open. If you are hacked, there will be a bunch of other IPs connected to you at the bottom. Look at the image below:

    hosts_opt (1)

    If there are suspicious IPs below “Localhost” – write to us in the comments.

    Type msconfig in the search field and hit enter. A window will pop-up:


    Go in Startup —> Uncheck entries that have “Unknown” as Manufacturer.

    • Please note that ransomware may even include a fake Manufacturer name to its process. Make sure you check out every process here is legitimate.

    Type Regedit in the windows search field and press EnterOnce inside, press CTRL and F together and type the virus’s Name. 

    Search for the ransomware in your registries and delete the entries. Be extremely careful –  you can damage your system if you delete entries not related to the ransomware.

    Type each of the following in the Windows Search Field:

    1. %AppData%
    2. %LocalAppData%
    3. %ProgramData%
    4. %WinDir%
    5. %Temp%

    Delete everything in Temp. The rest just check out for anything recently added. Remember to leave us a comment if you run into any trouble!


    How to Decrypt Medusa files

    We have a comprehensive (and daily updated) guide on how to decrypt your files. Check it out here.

    If the guide doesn’t help, download the anti-virus program we recommended or try our free online virus scanner. Also, you can always ask us in the comments for help!


    About the author


    Brandon Skies

    Brandon is a researcher and content creator in the fields of cyber-security and virtual privacy. Years of experience enable him to provide readers with important information and adequate solutions for the latest software and malware problems.

    Leave a Comment

    We are here to help! Use SpyHunter to remove malware in under 15 minutes.

    Not Your OS? Download for Windows® and Mac®.

    * See Free Trial offer details and alternative Free offer here.

    ** SpyHunter Pro receives additional removal definitions and manual fixes through its HelpDesk in cases where they are needed.

    Spyware Helpdesk 1