Background
Medusa ransomware emerged as a significant threat in 2021 and has grown into one of the most active ransomware operations, with CISA issuing an advisory in March 2025 documenting over 300 victims across critical infrastructure sectors. The group operates a Ransomware-as-a-Service (RaaS) model, recruiting affiliates through cybercrime forums while maintaining centralized control over the ransomware binary and decryption keys. Medusa operates a "Medusa Blog" on the Tor network for publishing stolen data, using victim exposure as leverage during negotiations.
Medusa is distinct from the unrelated MedusaLocker ransomware family, which has operated separately since 2019. The modern Medusa group represents a more sophisticated operation with dedicated affiliates, structured negotiation processes, and a well-maintained extortion infrastructure. The group's blog allows victims to pay to extend the countdown timer before data publication, pay to delete data entirely, or download the stolen data themselves โ creating a multi-tier extortion model that maximizes revenue extraction.
CISA's March 2025 advisory highlighted Medusa's significant targeting of critical infrastructure including healthcare, education, and water utilities, noting that the group has adopted a practice of deploying a legitimate signed driver (a BYOVD technique) to disable antivirus and EDR solutions before ransomware execution.
Notable Campaigns
Minneapolis Public Schools (2023) โ Medusa compromised the Minneapolis Public Schools district, exfiltrating and publishing 92,000 files totaling 92 gigabytes of data. Published data included detailed records of child abuse cases, student psychological assessments, student financial information, and confidential staff personnel files. The publication of sensitive student and staff data without any data minimization represented one of the most ethically egregious ransomware data releases documented.
Philippine Health Insurance Corporation (2023) โ Medusa attacked PhilHealth, the Philippines' national health insurance system, demanding $300,000 in ransom. When the Philippine government refused to pay, Medusa published 734 gigabytes of stolen data including personal information of millions of Filipinos, employee records, and internal communications, creating a major national data protection incident.
Italian Medical Research Institutes (2023) โ Medusa claimed attacks on multiple Italian medical and research institutions, publishing stolen research data and patient records to compel payment. The campaign targeted Italy's broader healthcare sector.
U.S. Water and Wastewater Sector (2023-2024) โ CISA noted Medusa's specific targeting of U.S. water and wastewater systems, reflecting the group's operational interest in critical infrastructure that faces strong regulatory pressure to resolve incidents quickly, increasing leverage.
Tactics, Techniques & Procedures
Initial Access via Phishing and Credential Compromise โ Medusa affiliates use multiple initial access vectors including phishing campaigns (T1566.001), exploitation of internet-facing vulnerabilities, and compromised credentials for VPN and RDP access (T1078, T1133). The group has been documented purchasing initial access from brokers who specialize in compromised credentials and network footholds.
BYOVD for EDR Bypass โ Medusa uses the Bring Your Own Vulnerable Driver (BYOVD) technique, loading a signed but vulnerable Windows driver to gain kernel-level access and terminate EDR processes (T1562.001). This technique is increasingly common among sophisticated ransomware operators because it allows disabling of endpoint security without requiring kernel-exploiting malware.
Double Extortion Framework โ Medusa collects data before encryption, using Rclone to exfiltrate to attacker-controlled infrastructure. The data is subsequently published on Medusa Blog if ransom is not paid. The blog's timer-extension payment option creates multiple revenue opportunities from single victims.
Ransomware Execution โ Medusa ransomware encrypts files with AES-256 and appends a .medusa extension. Shadow copies and backup-related services are terminated before encryption. The ransomware avoids encrypting specific file extensions and directories needed for basic system operation. A ransom note (!!!READ_ME_MEDUSA!!!.txt) is placed in each directory.
Tools & Malware
- Medusa Ransomware โ A custom Windows executable using AES-256 encryption with RSA key encapsulation. Targets files across all attached drives and network shares. Appends .medusa extension and places ransom notes in each encrypted directory.
- Ligolo-ng โ An open-source tunneling tool used to establish reverse tunnels for network access and lateral movement within victim environments.
- SimpleHelp โ A legitimate remote support tool repurposed as a persistent backdoor access mechanism, installed after initial compromise to maintain access independent of the original infection vector.
- PDQ Deploy โ A legitimate software deployment tool used to distribute the Medusa ransomware binary across domain-joined systems for mass deployment.
- Cobalt Strike โ Post-exploitation framework used for C2, lateral movement, and reconnaissance.
- Advanced IP Scanner โ Network scanning tool for internal network discovery and target enumeration.
- Rclone โ Used for bulk data exfiltration to cloud storage before ransomware deployment.
- Mimikatz โ Credential harvesting from LSASS for lateral movement across domain environments.
- TightVNC โ Legitimate remote desktop software used alongside SimpleHelp for persistent interactive access.
Indicators & Detection
Medusa Blog Monitoring โ Organizations should monitor Medusa's Tor-hosted blog and dark web intelligence feeds for their organizational name, domain names, and employee information. Early detection of planned data publication enables preparation of breach notifications and stakeholder communications before public disclosure.
Vulnerable Driver Monitoring โ Implement driver allowlisting and monitor for the loading of known vulnerable drivers associated with BYOVD attacks. Alert on kernel driver load events for drivers matching signatures of known vulnerable drivers. Microsoft's vulnerable driver blocklist (available via Windows Defender ASR rules) provides baseline protection.
Backup and VSS Protection โ Implement the 3-2-1-1 backup rule with at least one offline, air-gapped backup copy that ransomware cannot reach. Monitor for backup software termination and VSS deletion commands. Alert on mass file renames across directories as an early ransomware execution indicator.
PDQ Deploy and Remote Tool Detection โ Monitor for PDQ Deploy installation or execution in environments where it is not authorized. Alert on SimpleHelp, AnyDesk, and TightVNC execution in contexts where these are not standard business tools. Review all remote access tool installations and enforce application control policies.