Pierluigi Paganini
March 13, 2025
The FBI, CISA, and MS-ISAC have issued a joint advisory detailing Medusa ransomware tactics, techniques, and indicators of compromise (IOCs) based on FBI investigations as recent as February 2025.
This advisory is part of the #StopRansomware initiative, providing guidance to network defenders on ransomware variants and threat actors.
“Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing.” reads the joint advisory. “The Medusa ransomware variant is unrelated to the MedusaLocker variant and the Medusa mobile malware variant per the FBI’s investigation.”
Medusa ransomware developers recruit initial access brokers (IABs) through cybercriminal forums, offering payments from $100 to $1 million. The group’s affiliates gain access to victims using phishing campaigns to steal credentials and exploiting unpatched software vulnerabilities. Notably, they target CVE-2024-1709 (ScreenConnect authentication bypass) and CVE-2023-48788 (Fortinet EMS SQL injection) to infiltrate systems.
Medusa operators leverage living off the land (LOTL) techniques and legitimate tools like Advanced IP Scanner and SoftPerfect Network Scanner for reconnaissance activity. They scan ports such as FTP, SSH, HTTP, SQL databases, and RDP after gaining a foothold. They conduct network and filesystem enumeration using PowerShell and Windows Command Prompt. Additionally, operators utilize Windows Management Instrumentation (WMI) to query system information.
Medusa actors use LOTL techniques to evade detection and employing certutil.exe for stealthy file ingress. The experts observed the operators deleting PowerShell command history to cover tracks. They use increasingly complex PowerShell evasion tactics, including base64-encoded commands, obfuscation, and memory-based execution. The operators also attempt to disable security tools exploiting vulnerable or signed drivers. The researchers report that the ransomware rely on Ligolo for reverse tunneling and Cloudflared to expose systems securely without direct internet exposure.
Medusa operators leverage legitimate remote access tools like AnyDesk, Atera, and Splashtop, alongside RDP and PsExec, to move laterally and locate files for exfiltration and encryption. The threat actors use PsExec to execute scripts, enable RDP access, and modify firewall rules. Attackers use Mimikatz to steal credentials. Threat actors use Rclone for data exfiltration. Encryption is executed using gaze.exe, which disables security tools, deletes backups, and encrypts files with AES-256 before dropping a ransom note. The attackers are also spotted manually disabling and encrypting virtual machines.
Medusa RaaS employs a double extortion model, where victims must pay [T1657] to decrypt files and prevent further release. The ransom note demands victims make contact within 48 hours via either a Tor browser based live chat, or via Tox, an end-to-end encrypted instant-messaging platform. If the victim does not respond to the ransom note, Medusa actors will reach out to them directly by phone or email. Medusa operates a .onion data leak site, divulging victims alongside countdowns to the release of information. Ransom demands are posted on the site, with direct hyperlinks to Medusa affiliated cryptocurrency wallets. At this stage, Medusa concurrently advertises sale of the data to interested parties before the countdown timer ends. Victims can additionally pay $10,000 USD in cryptocurrency to add a day to the countdown timer.
FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the “true decryptor”— potentially indicating a triple extortion scheme.
“FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the “true decryptor”— potentially indicating a triple extortion scheme.” concludes the advisory that includes Indicators of Compromise and mitigations.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Medusa ransomware)
