Ransomware Group: MEDUSA

VICTIM NAME: Leprohon

NOTE: No files or stolen information are [exfiltrated/downloaded/taken/hosted/seen/reposted/disclosed] by RedPacket Security. Any legal issues relating to the content of the files should be directed at the attackers directly, not RedPacket Security. This blog is simply posting an editorial news post informing that a company has fallen victim to a ransomware attack. RedPacket Security is in no way affiliated or aligned with any ransomware threat actors or groups and will not host infringing content. The information on this page is fully automated and redacted whilst being scraped directly from the MEDUSA Onion Dark Web Tor Blog page.

AI Generated Summary of the Ransomware Leak Page

Leprohon Inc. is identified as the ransomware-leak victim on a post attributed to the Medusa group. The page provides a post date of October 3, 2025; because no explicit compromise date is listed, this date is treated as the post date. The description describes Leprohon as operating in the Commercial & Residential Construction sector, with an employee range of roughly 250 to 499 and annual revenue in the CAD 25–50 million range. The organization is said to be headquartered in Sherbrooke, Quebec, Canada, though the street address is redacted in this sanitized summary to protect PII. A separate line on the page lists 351 employees, indicating an internal discrepancy in the reported headcount. The leak page notes that a claim URL is present, providing a mechanism to verify the attackers’ claims. There are no screenshots or images listed on the page (images count is zero), and no downloadable files are indicated. The page’s body excerpt shows a captcha prompt, indicating that access to the leaked content is gated behind human verification.

Regarding impact and content, the data do not explicitly label the incident as encrypted or clearly designate it as a data leak within the provided fields. The page aligns with a ransomware-leak post format: it publicly identifies the victim, provides basic corporate attributes, and offers a claim URL, but it does not disclose a ransom amount in the available data. There is no visible contact information such as emails, phone numbers, or postal addresses on the page, and no images or downloadable materials are presented beyond the gated content. The victim name is preserved as Leprohon, with other identifying details redacted to protect privacy. The overall entry remains consistent with the pattern of a public leak page that aims to showcase exfiltration claims while withholding sensitive details from immediate view.