Breaking Down Medusa Ransomware

Ransomware attacks continue to evolve, posing significant threats to organizations of all sizes. Among these threats, Medusa ransomware has emerged as a particularly dangerous adversary, targeting businesses with increasingly sophisticated techniques.

This report provides insights from Armis Labs on Medusa ransomware, incorporating insights from multiple threat intelligence sources, including FBI, CISA, and MS-ISAC advisories. It details Medusa’s tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and mitigation strategies to assist organizations in defending against this evolving ransomware threat.

Overview of Medusa Ransomware

Medusa ransomware was first identified in June 2021, operating as a Ransomware-as-a-Service (RaaS) model. Initially a closed-group operation, Medusa has since expanded into an affiliate-based ecosystem. Medusa is distinct from the older MedusaLocker variant and the unrelated Medusa mobile malware.

 Key Facts:

• Tracked by Symantec as “Spearwing”
• Over 300 confirmed victims since inception
• 42% surge in attacks between 2023 and 2024
• More than 40 incidents reported in early 2025
• Targeted industries: Healthcare, manufacturing, education, technology, government, legal, and insurance
• Ransom demands range from $100,000 to $15 million
• Extortion tactics: Double extortion (data encryption and leaks), with a newly observed triple extortion involving an additional ransom post-payment

Potential Impact

The impact of Medusa ransomware can be devastating, causing operational disruptions, financial losses, and reputational damage for affected organizations. Its increasingly sophisticated attack vectors and adaptability make it a significant threat to any business relying on digital infrastructure. Customers should prioritize understanding and mitigating this threat to safeguard sensitive data, maintain business continuity, and avoid the costly consequences of a successful ransomware attack.

Mitigation At-a-Glance

As the CISA advisory explains, to defend against Medusa ransomware attacks, organizations are advised to take the following measures:

• Mitigate known security vulnerabilities to ensure operating systems, software, and firmware are patched within a reasonable timeframe,
• Segment networks to limit lateral movement between infected devices and other devices within the organization, and
• Filter network traffic by blocking access from unknown or untrusted origins to remote services on internal systems.

See detailed mitigation strategies below.

Technical Breakdown: Tactics, Techniques, and Procedures (TTPs)

Medusa’s attack lifecycle aligns with the MITRE ATT&CK framework and consists of multiple sophisticated techniques.  These techniques include initial access via phishing campaigns, exploitation of vulnerabilities in unpatched systems, and the use of advanced malware to maintain persistence and evade detection.

1. Initial Access (TA0001)

Exploitation of Public-Facing Applications (T1190): Medusa exploits unpatched vulnerabilities in internet-facing systems, notably:

• Microsoft Exchange Server (ProxyShell, CVE-2021-34473).
• CVE-2024-1709 (ScreenConnect Authentication Bypass).
• CVE-2023-48788 (Fortinet EMS SQL Injection).

External Remote Services (T1133): Medusa operators use compromised RDP credentials, often sourced from Initial Access Brokers (IABs).

Phishing (T1566): While exploitation is preferred, Medusa affiliates also use spear-phishing emails to steal credentials or drop malware.

2. Execution (TA0002)

 Command and Scripting Interpreter (T1059): Medusa leverages scripting languages like PowerShell and Python to execute malicious payloads and automate tasks:

• PowerShell execution: e.g., `invoke-ReflectivePEInjection` to run payloads in-memory and bypass detection.
• Batch scripts: e.g., `gaze.exe` used to issue `net stop` commands against security software.
• WMI (T1047): Used to delete shadow copies (`wmic shadowcopy delete`).

3. Persistence (TA0003): Medusa employs sophisticated techniques across multiple attack stages, showcasing a versatile and persistent threat profile.

 Boot or Logon Autostart Execution (T1547.001)

• Registry modifications: `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`.

Scheduled Tasks (T1053)

• Creates malicious scheduled tasks (e.g., `svhost`) to re-execute every 15 minutes.

4. Privilege Escalation (TA0004): Medusa demonstrates a multi-faceted attack strategy, leveraging diverse techniques to maximize its impact and persistence.

 Abuse Elevation Control Mechanism (T1548.002)

• Bypasses User Account Control (UAC) using `cmstp.exe` to execute commands with elevated privileges.

 Valid Accounts (T1078)

• Brute-force attacks and LSASS dumping (Mimikatz) to gain domain admin access.

5. Defense Evasion (TA0005): Medusa employs advanced tactics across the kill chain to evade detection and maintain persistence in compromised systems.

 Bring Your Own Vulnerable Driver (BYOVD) (T1068)

• Deploys signed vulnerable drivers (e.g., KillAV) to disable endpoint detection & response (EDR) tools.

 Impair Defenses (T1562.001)

• Disables security software (e.g., Sophos, CrowdStrike, Microsoft Defender).
• Reboots systems into Safe Mode to evade security tools (`bcdedit /set safeboot minimal`).

File Deletion (T1070)

• Deletes itself post-encryption (`-d argument`).
• Uses `cipher.exe` to overwrite deleted files.

6. Credential Access (TA0006): Extracts credentials from web browsers and password managers to expand access.

Credential Dumping (T1003)

• LSASS memory dumping using Mimikatz or Windows built-in tools.

 Brute Force (T1110)

• RDP brute-force attacks when vulnerabilities are unavailable.

Detailed Mitigation Strategies

Early identification and swift mitigation of threats like Medusa are imperative to prevent extensive damage and data loss. Its ability to deploy sophisticated evasion techniques and erase forensic evidence makes rapid response crucial for maintaining security and minimizing impact.

 Detection & Network Monitoring

• Block known Medusa domains (see below)
• Detects unusual RDP access patterns and SMB enumeration.
• Use behavioral analytics to detect mass file encryption

 Prevention & Hardening

• Patch CVEs (2024-1709, 2023-48788, 2021-34473)
• Enable MFA for RDP and VPNs
• Enable SRA to manage user access, activity and privileges, especially in OT environments
• Disable PowerShell for non-administrators

Response & Recovery

• Isolate infected systems immediately
• Restore from offline backups
• Report incidents to CISA/FBI

Indicators of Compromise (IOCs)

Medusa ransomware demonstrates a highly sophisticated approach to compromising systems through a combination of advanced tactics and evasive techniques. By leveraging methods such as Bring Your Own Vulnerable Driver (BYOVD) to disable endpoint detection and response tools, impairing defenses by deactivating security software, and rebooting systems into Safe Mode, it ensures minimal detection during its operations. Additionally, Medusa employs credential dumping, brute-force attacks, and efficient file deletion techniques to establish deeper access and eliminate forensic traces. These characteristics make Medusa not only a potent threat but also a challenging adversary for cybersecurity defenses.

File Paths and Names:

csidl_windows\adminarsenal\pdqdeployrunner\service-1\exec\gaze.exe
svhost.exe (in AppData)
!!!READ_ME_MEDUSA!!!.txt

 File Extensions:

.medusa, .mylock

Domains & URLs:

medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd[.]onion
go-sw6-02.adventos[.]de

Registry Keys:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MDSLK

Medusa ransomware remains a highly active and evolving threat, leveraging advanced exploitation techniques, BYOVD attacks, and an aggressive multi-extortion model. Organizations must adopt a defense-in-depth strategy, continuously updating threat intelligence and refining their detection capabilities to mitigate the impact of Medusa.

Preempt Threat Actors with Armis Centrix™ for Early Warning

Through continuous monitoring and advanced threat intelligence capabilities, Armis Centrix™ for Early Warning was able to track the activities of the Medusa threat actors across multiple attack campaigns. Proactive early warning intelligence plays a crucial role in helping customers harden their environments against emerging threats and ransomware attacks like Medusa.

CVEs Associated with Medusa

CVE	Added to Armis Early Warning List	Added to CISA KEV
CVE-2021-34473 (Microsoft Exchange Server ProxyShell)	August 2021	November 2021
CVE-2024-1709 (ScreenConnect Authentication Bypass)	February 2024	February 2024
CVE-2023-48788 (Fortinet EMS SQL Injection)	March 2024	March 2025

Interested in learning more about Armis Centrix™ for Early Warning? Sign up for a demo today!