REVISITING MEDUSA LOCKER RANSOMWARE

**Executive summary:** This report analyzes Medusa Locker (a Ransomware-as-a-Service active since 2019) and its 2025 resurgence, documenting TOR negotiation/onion sites, a leaked Russian-hosted IP/ASN used for the ticketing platform, a Node.js/Express misconfiguration exposing file paths and root execution, 31 new samples (many dated 17 May 2025) with multiple encrypted extensions and mutex artifacts, numerous MD5 IOCs, and historical extortion payments totaling ~303.49 BTC; the report highlights affiliate-driven variant naming, overlaps with other families, and actionable IOCs for detection and hunting.