How to remove MedusaLocker3 / Far Attack Ransomware (.BAGAJAI) and Recover Files?

Our MedusaLocker3 Decryptor — Advanced, Secure, and Analyst-Driven

Our cybersecurity specialists have engineered a bespoke decryptor to assist victims of the MedusaLocker3 / Far Attack ransomware family — an evolution of the notorious MedusaLocker threat group. This version encrypts files using AES and RSA hybrid encryption, appending the “.BAGAJAI” extension to each locked file.

Our decryptor is designed to:

• Safely analyze encrypted samples inside a controlled forensic sandbox;
• Identify specific MedusaLocker3 build variants and unique victim IDs; and
• Restore encrypted files through a validated, logged decryption sequence that preserves forensic evidence.

The decryptor supports both cloud-based key recovery and offline execution for restricted or air-gapped environments. Each operation begins with read-only verification, ensuring no data corruption or evidence alteration before recovery starts.

Related article: How to Decrypt Radiant Group Ransomware (.radiant) Encrypted Files?

How the MedusaLocker3 Decryptor Works?

Once a few encrypted samples and ransom notes are submitted, our decryptor conducts a deep inspection of encryption headers and internal structures to identify the variant. Using this fingerprint, we check against known MedusaLocker3 and Far Attack encryption patterns.

If a recoverable key structure is found, a Proof-of-Concept (PoC) decryption is performed on 1–2 files. Once successful, we execute full recovery while generating audit trails suitable for insurers and compliance teams.

Requirements for running the decryptor:

• Ransom note: read_to_decrypt_files.html
• Two to five encrypted files (copies only) with the .BAGAJAI extension
• Administrative privileges on the target host or recovery machine
• Internet connectivity for cloud analysis (optional if using offline mode)

Also read: How to remove Kryptos Ransomware and Decrypt .kryptos Files?

Immediate Actions After Discovering MedusaLocker3 Infection

1. Disconnect affected systems immediately. Unplug Ethernet cables, disable Wi-Fi, and sever access to shared or network drives to prevent the ransomware from propagating.
2. Preserve encrypted files exactly as found. Avoid renaming, deleting, or opening any .BAGAJAI files — this may break internal file associations used for decryption.
3. Capture system memory (RAM) if possible. Memory dumps may contain encryption keys or traces of the MedusaLocker3 process.
4. Collect forensic data. Archive AV/EDR logs, Windows event records, and firewall or proxy logs for incident review.
5. Engage experts. Contact a qualified ransomware recovery team — do not email the attackers at recovery1@amniyat.xyz or recovery1@salamati.vip.

Recovery Options for .BAGAJAI Files

Free Recovery Options

Offline/Immutable Backups:
If you have backups isolated from the infected network, restore them after verifying integrity using checksum validation. MedusaLocker3 typically targets connected or mapped backup devices.

VM or Cloud Snapshots:
Rollback to a secure virtual or cloud snapshot created before the infection. Always confirm that snapshots were not encrypted or deleted.

Paid / Professional Recovery

Analyst-Driven Decryptor Service:
Our decryptor workflow begins with a small-scale PoC decryption before proceeding to full recovery. All steps are monitored and logged.

Ransom Payment (Not Recommended):
While some victims have recovered through payment, there is no guarantee of obtaining a functional decryptor. MedusaLocker3 employs strong AES/RSA encryption, and law enforcement discourages paying ransoms due to potential funding of further attacks.

How to Use Our MedusaLocker3 Decryptor — Step-by-Step?

Assess the Infection
Identify encrypted files ending in .BAGAJAI and verify the ransom note read_to_decrypt_files.html is present in affected folders.

Secure the Environment
Disconnect compromised systems from networks and storage devices to prevent ongoing encryption or data exfiltration.

Engage Our Recovery Team
Submit encrypted samples and ransom notes for variant confirmation. Our team will analyze and provide a personalized recovery plan.

Run Our Decryptor
Launch the MedusaLocker3 Decryptor as an administrator. Internet access may be needed if cloud validation is used.

Enter Your Victim ID
Locate the Victim ID listed in the ransom note and input it into the decryptor for accurate mapping to your encryption session.

Start the Decryptor
Initiate the process to restore files to their original state. The tool produces integrity logs and verification reports during operation.

Also read: How to remove Ransomware with [[yan]] (.weax) from servers and NAS?

Understanding MedusaLocker3 / Far Attack Ransomware

Overview
MedusaLocker3, sometimes called Far Attack, is a new generation of the MedusaLocker family known for its secure encryption and double-extortion tactics. It appends “.BAGAJAI” to encrypted files and drops an HTML ransom note titled read_to_decrypt_files.html.

Behavior
The ransomware encrypts common file types, including documents, databases, images, and archives. It deletes Volume Shadow Copies and disables Windows recovery utilities to block restoration. The ransom note instructs victims to contact the attackers via email (recovery1@amniyat.xyz, recovery1@salamati.vip) or through Tor gateways.

Propagation Methods
MedusaLocker3 commonly spreads via phishing emails, RDP brute-force attacks, malicious attachments, or exploitation of public-facing services. It has also been observed using droppers that deploy password-stealing trojans like Mimikatz alongside the encryptor payload.

Name, Extension & Ransom Note

Name: MedusaLocker3 / Far Attack
Encrypted File Extension: .BAGAJAI
Ransom Note: read_to_decrypt_files.html

Excerpt from the ransom note:

NETWORK SECURITY NOTIFICATION

YOUR PERSONAL ID: G/3NxB6AYV+wKW7BXpnnva+Yl1DzR6MyoSKr7Y0ErXVBs6yi62sTwkmmkaHXimnEE10UQIvmkE1R4JTyfH+Pb6Z9i3NsagO6WIJfuF+14KdFXJAEAbhH9z0avE6jkze5ttvRZ7dZgNc4cRawC6tYkMBzyg5LpHCSdfEmSbeDb696O4rAEjMiSM0tDXa6VZuGaxoVsnAjC/aqJF9JS+qb6Ccd/8apyOFcqXCGCQkIkWeP6aN7bsXyOCxXBNGnCSlbJTqMLEd/u2bL33sVnWYlk/N5Hph9ndQloaML5nG0naxfqVQ/1lTEyewdbXpFRHoi1oWwBiqmddMnGCwIIAE+Gg==

YOUR CORPORATE NETWORK HAS BEEN COMPROMISED & ENCRYPTED

Your files have been secured using military-grade encryption (RSA-4096 + AES-256).

WARNING: Any attempt to restore files with third-party software or to modify/rename encrypted files may cause permanent data corruption. Do not alter encrypted files.

We have successfully infiltrated your network and encrypted critical data. Compromised information — including confidential documents, financial records, and personal data — is stored on our private servers. That server will be permanently destroyed upon confirmation of payment. Failure to comply may result in public disclosure of all data to media outlets and data brokers.

We are motivated by financial gain, not destruction. To prove our capability, we will decrypt 2–3 non-critical files free of charge as verification.

Contact us immediately to obtain pricing and the decryption software:

EMAIL:
recovery1@salamati.vip
recovery1@amniyat.xyz

For secure correspondence, create a new account (for example at protonmail.com).

CONTACT US WITHIN 72 HOURS TO AVOID A PRICE INCREASE.

IOCs, Detections & Technical Artifacts

Detection Names (by Security Vendors):

• ESET → A Variant of Win64/Filecoder.MedusaLocker.A
• Malwarebytes → Ransom.Medusalocker
• BitDefender → Gen:Variant.Bulz.236620 (B)
• GData → Trojan.Ransom.MedusaLocker3

Known Indicators:

• File extension .BAGAJAI
• Ransom note: read_to_decrypt_files.html
• Attacker emails: recovery1@amniyat.xyz, recovery1@salamati.vip
• SHA1 Sample: b5d848cecc5499b74710d51e6045099887e84024
• Associated dropped files:
  • BAGAJAI.exe (encryptor)
  • chisel.exe (lateral movement tool)
  • dump.bat / mimikatz.dll (credential theft)

Behavioral Traits:

• Encrypts data with AES-256 and RSA-2048.
• Drops ransom note into every directory.
• Deletes Volume Shadow Copies.
• Uses registry edits for persistence.
• May deploy password-stealing tools like Mimikatz and Chisel for credential harvesting.

Tactics, Techniques & Procedures (TTPs)

• Initial Access: Exploits unprotected RDP, phishing campaigns, infected executables.
• Execution: Encrypts all accessible files, appending .BAGAJAI.
• Persistence: Modifies Windows registry for autorun and note re-display.
• Privilege Escalation: Utilizes credential stealers (Mimikatz) to gain admin-level access.
• Defense Evasion: Deletes shadow copies, disables system recovery, clears event logs.
• Impact: Encrypts core data, prevents restoration, and may leak exfiltrated information.

Victim Landscape

Regions Affected:

Industries Targeted:

Timeline of Activity:

Conclusion 

MedusaLocker3 (Far Attack Ransomware) is among the most recent variants of the MedusaLocker ransomware family, using advanced encryption and credential theft to maximize damage.
Victims should:

• Isolate infected systems immediately.
• Preserve encrypted data, ransom notes, and logs.
• Use trusted decryptor services that provide proof-of-concept results before committing.
• Avoid paying ransoms unless legally advised.

To prevent recurrence, maintain patched systems, restrict RDP access, enforce MFA, and follow the 3-2-1 backup strategy (three copies, two media types, one offline).

Frequently Asked Questions

Contact Us To Purchase The MedusaLocker3 / Far Attack Decryptor Tool