The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint advisory on the Medusa ransomware, a ransomware-as-a-service (RaaS) variant that has been active since June 2021.
As of February 2025, Medusa has impacted over 300 victims across critical infrastructure sectors, including healthcare, education, legal services, insurance, technology, and manufacturing.
Unlike other ransomware variants such as MedusaLocker or Medusa mobile malware, the Medusa ransomware employs a double extortion model.
This approach involves encrypting victim data while simultaneously threatening to release stolen information unless a ransom is paid.
Medusa operates using an affiliate model where developers and affiliates collaborate to execute attacks.
The developers maintain centralized control over key operations like ransom negotiations.
Affiliates are often recruited via cybercriminal forums and marketplaces, with payments ranging from $100 to $1 million for initial access to victim systems.
Techniques and Tools Used by Medusa Actors
Medusa actors employ sophisticated techniques to infiltrate and exploit victim networks.
Initial access is often gained through phishing campaigns or exploiting unpatched software vulnerabilities such as CVE-2024-1709 (authentication bypass) and CVE-2023-48788 (SQL injection).
Once inside a network, Medusa actors use legitimate tools like PowerShell, Windows Command Prompt, and Advanced IP Scanner for reconnaissance and lateral movement.
They also rely on obfuscation techniques to evade detection, including executing base64-encoded PowerShell commands.
For lateral movement and execution, Medusa actors utilize remote access tools such as AnyDesk and ConnectWise, as well as Sysinternals PsExec for deploying their encryptor across networks.
Data exfiltration is facilitated through tools like Rclone, while encryption is carried out using AES-256 algorithms.
Encrypted files are marked with the “.medusa” extension, and victims receive ransom notes demanding payment within 48 hours.
In some cases, victims have reported being subjected to triple extortion schemes after paying the ransom.
Mitigation Strategies for Organizations
To counter the threat posed by Medusa ransomware, organizations are urged to adopt robust cybersecurity measures:
- Patch Management: Ensure operating systems, software, and firmware are up-to-date to address known vulnerabilities.
- Network Segmentation: Limit lateral movement within networks by segmenting them appropriately.
- Multi-Factor Authentication (MFA): Implement MFA for all critical systems and remote access points.
- Backup Strategies: Maintain offline backups of sensitive data in secure locations and ensure they are encrypted and immutable.
- Traffic Filtering: Block unknown or untrusted origins from accessing internal systems.
- Endpoint Detection: Deploy endpoint detection and response (EDR) tools to monitor network activity for signs of intrusion.
The FBI, CISA, and MS-ISAC also recommend organizations test their security controls against the MITRE ATT&CK framework to identify potential vulnerabilities.
Reporting ransomware incidents promptly to relevant authorities is encouraged to aid in broader threat intelligence efforts. You can find the IoC’s here.
Are you from SOC/DFIR Teams?: Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
