U.S. agencies have released a collaborative cybersecurity advisory detailing the tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and detection strategies linked to the Medusa ransomware. Medusa, a ransomware-as-a-service (RaaS) variant, was first detected in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from across critical infrastructure sectors, with affected industries including medical, education, law, insurance, technology, and manufacturing. Medusa hackers use common techniques like phishing campaigns and exploiting unpatched software vulnerabilities.
“The RaaS Medusa variant has been used to conduct ransomware attacks from 2021 to present. Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors,” the joint advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), disclsoed. “While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers. Both Medusa developers and affiliates—referred to as ‘Medusa actors’ in this advisory— employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.”
BlackFog reported that Medusa is one of the leading ransomware threats, with operations surpassing $40 million in ransom demands. Posts on the dark web have provided some insight into the group’s activities, showing that in 2024, more than 26 percent of their disclosed attacks involved ransom demands exceeding $1 million.
Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain initial access to potential victims. Potential payments between US$100 and $1 million are offered to these affiliates with the opportunity to work exclusively for Medusa. Medusa IABs (affiliates) are known to make use of common techniques, such as phishing campaigns, as a primary method for stealing victim credentials and exploiting unpatched software vulnerabilities through Common Vulnerabilities and Exposures (CVEs), such as the ScreenConnect vulnerability and Fortinet EMS SQL injection vulnerability.
The advisory disclosed that Medusa hackers use various legitimate remote access software; they may tailor their choice based on any remote access tools already present in the victim environment as a means of evading detection. Investigations identified Medusa actors using remote access software AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop. Medusa uses these Tools, in combination with Remote Desktop Protocol (RDP) and PsExec, to move laterally through the network and identify files for exfiltration and encryption.
Medusa actors use living off the land (LOTL) and legitimate tools, such as Advanced IP Scanner and SoftPerfect Network Scanner for initial user, system, and network enumeration. Once a foothold in a victim network is established, commonly scanned ports, including FTP, SSH, Telnet, HTTP, SFTP, HTTPS, SQL database, Firebird database, HTTP web proxy, MySQL database, and RDP. These hackers primarily use PowerShell and the Windows Command Prompt (cmd[dot]exe) for network and filesystem enumeration and utilize Ingress Tool Transfer capabilities. Medusa actors use Windows Management Instrumentation (WMI) for querying system information.
The CISA, FBI, and MS-ISAC identified that Medusa actors install and use Rclone to facilitate the exfiltration of data to the Medusa C2 servers used by actors and affiliates. The actors use Sysinternals PsExec, PDQ Deploy, or BigFix to deploy the encryptor, gaze[dot]exe, on files across the network, with the actors disabling Windows Defender and other antivirus services on specific targets. Encrypted files have a [dot]medusa file extension. The process gaze[dot]exe terminates services related to backups, security, databases, communication, file sharing, and websites, then deletes shadow copies and encrypts files with AES-256 before dropping the ransom note. The hackers then manually turn off and encrypt virtual machines and delete their previously installed tools.
Medusa RaaS employs a double extortion model, where victims must pay to decrypt files and prevent further release. The ransom note demands victims make contact within 48 hours via either a Tor browser-based live chat or via Tox, an end-to-end encrypted instant-messaging platform. If the victim does not respond to the ransom note, Medusa actors will reach out to them directly by phone or email.
The advisory noted that Medusa operates a [dot]onion data leak site, divulging victims alongside countdowns to the release of information. Ransom demands are posted on the site with direct hyperlinks to Medusa-affiliated cryptocurrency wallets. At this stage, Medusa concurrently advertises the sale of the data to interested parties before the countdown timer ends. Victims can additionally pay $10,000 in cryptocurrency to add a day to the countdown timer.
Furthermore, FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the ‘true decryptor,’ potentially indicating a triple extortion scheme.
Commenting on the latest cybersecurity advisory, Roger Grimes, data-driven defense evangelist at cybersecurity company KnowBe4, wrote in an emailed statement that “This continues CISA’s long tradition of warning people about ransomware that spreads using social engineering that then does not suggest security awareness training as a primary way to defeat it. I’ll never understand it. Social engineering is involved in 70% – 90% of all successful hacking attacks.”
He added that CISA notes that one of the two main ways this ransomware variant spreads is through social engineering, and then in its three top-level recommendations and 15 recommended mitigations, it does not recommend end-user education to prevent them from being tricked into revealing log-on credentials or executing the malware. “It’s like learning that criminals are breaking into your house all the time through the windows and then recommending more locks for the doors. It does a huge disservice. It is this continued misalignment between the ways we are most often attacked by hackers and their malware programs and how we are told to defend ourselves that allows hackers to be so long-term successful. The hackers must be laughing.”
The agencies recommend immediate actions that organizations can take to mitigate the threat of Medusa ransomware activity. These include ensuring that operating systems, software, and firmware are patched and up to date, segmenting networks to restrict lateral movement, and filtering network traffic by preventing unknown or untrusted origins from accessing remote services. CISA encourages network defenders to review the advisory and implement the recommended mitigations to reduce the likelihood and impact of Medusa ransomware incidents.
They also recommend that organizations improve their cybersecurity posture by implementing various mitigations based on threat actors’ activity. These mitigations align with the cross-sector cybersecurity performance goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats and TTPs.
The advisory urges organizations to establish a comprehensive recovery plan, mandate that all accounts with password logins adhere to NIST standards, enforce multifactor authentication, and utilize VPNs or Jump Hosts for secure remote access. Additionally, they should actively monitor for unauthorized scanning and access attempts and filter network traffic by blocking unknown or untrusted sources from accessing remote services on internal systems.
It also calls for auditing user accounts with administrative privileges and configuring access controls according to the principle of least privilege, reviewing domain controllers, servers, workstations, and active directories, disabling command-line and scripting activities and permissions, and disabling unused ports. It also pushes for maintaining offline backups of data, regularly maintaining backup and restoration, and ensuring that all backup data is encrypted and immutable.
Just last week, Symantec revealed a notable increase in Medusa ransomware activity operated as RaaS by a group called Spearwing. The attacks have shown consistent tactics and a 42 percent surge in incidents from 2023 to 2024. This trend persists, with nearly double the attacks reported in January and February 2025 compared to the same period in 2024, totaling over 40 attacks in the first two months of 2025.
