Medusa Ransomware: What CISOs Need to Know

Kate O’Flaherty uncovers how CISOs can keep their organisation safe from a RaaS variant on the rise

In the fast-evolving ransomware landscape, new groups seem to appear with dizzying frequency. But some pose a bigger threat than others. Medusa is the latest to set alarm bells ringing among US government officials. They claim industries including healthcare, education, legal, insurance, technology and manufacturing are in the firing line. But like any new threat, there are well-worn ways for CISOs to mitigate the risk of a serious breach.

Medusa makes an impact

Medusa has actually been in operation since 2021, having hit around 300 victims across critical national infrastructure (CNI) sectors since that time. But the threat has grown recent months. A report from Symantec shows the ransomware claimed over 40 victims in the first two months of 2025 alone.

That may be why the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), issued a joint advisory last month.

Affiliates of the ransomware-as-a-service (RaaS) operation seem to have no qualms about hitting vulnerable organisations. In February this year, they apparently breached HCRG Care Group, a private health and social services provider. Medusa claimed it stole 2.2TB of data, threatening to leak it online. This kind of double extortion attack, combining encryption with data theft, is typical of the group.

“Medusa’s true strength lies in its ability to adapt and exploit different entry points” Andy Swift

“Usually there is an unwritten agreement between cybercriminals and victims that if you pay the ransom, this ordeal can end,” Nominet CISO, Paul Lewis, tells Assured Intelligence. “But the tendency towards double extortion in Medusa attacks proves that it’s lucrative for cybercriminals to go back on their word and exploit the same targets again and again.”

Medusa’s capabilities are expanding fast. Since 2021, its operations have become more aggressive and sophisticated, Acronis CISO, Gerald Beuchelt, tells Assured Intelligence. “The group’s tactics involve well-documented intrusion methods and an increasingly persistent extortion approach, including direct outreach to the victims who ignore initial ransom demands,” he says.

Initially a closed-group operation, Medusa has evolved into an affiliate-based model. “In this model, malware authors manage the back-end infrastructure while the affiliates conduct attacks, deploy the ransomware and share ransom payments with the developers,” Adam Harrison, managing director in the cybersecurity practice at FTI Consulting, tells Assured Intelligence.

Most of Medusa’s victims are located in the US, UK and Canada, he says. The group is unrelated to MedusaLocker and the Medusa mobile malware variant.

Medusa focuses on CNI, but cybersecurity firm Huntress suggests it is evolving its tactics and targets. According to the firm, 16% of the group’s targets are technology-related businesses, with healthcare at 22% and law offices at 34%.

Medusa has demanded ransoms ranging from $100,000 to as high as $15m – in some cases using a triple extortion tactic, where victims are contacted again post-payment by adversaries claiming the original negotiator was fraudulent, says Acronis’ Beuchelt.

Adapting and exploiting new entry points

While the ransomware itself relies on fairly standard encryption methods, its true strength lies in its ability to adapt and exploit different entry points, Andy Swift, cyber security assurance technical director at Six Degrees, explains to Assured Intelligence.

These include phishing, credential dumping and brute-force attacks, he says.

“Attackers commonly delete volume shadow copies and security logs to hinder recovery and forensic analysis” Michael Freeman

Medusa affiliates have been associated with the use of initial access brokers (IABs) to gain access to target organisations. “In this model, the group responsible for initially breaking into a victim’s network will hand over access to the affiliate, who ultimately leverages that access to drop ransomware,” says FTI Consulting’s Harrison.

This model encourages diversity in initial access vectors, but the recent US advisory highlights phishing emails and vulnerability exploitation as the main two techniques used in Medusa attacks, Harrison says.

Since its shift to a RaaS model, Medusa has expanded its affiliate network, allowing it to evolve continuously and adapt to new vulnerabilities as they arise, says Six Degrees’ Swift. “What makes Medusa so dangerous is its creativity and ability to bypass traditional defences, including endpoint detection and response (EDR) systems,” he adds.

For example, affiliates have been known to deploy sophisticated kernel drivers to disable security measures, making the ransomware even harder to detect. More recently, the group has made use of “time travel” – using old invalid certificates for signing drivers and making them valid again by turning back system clocks. This is a “simple yet innovative way of loading an expired driver”, Swift says.

Medusa also uses stolen credentials to move undetected within networks.

“Once inside, Medusa uses remote tools such as AnyDesk, SimpleHelp and MeshAgent for persistence, and leverages legitimate IT utilities including PDQ Deploy, PsExec and Advanced IP Scanner for lateral movement,” explains Acronis’ Beuchelt. “They evade detection with Base64-encoded PowerShell, extract credentials via Mimikatz, and rely heavily on living-off-the-land binaries to blend in.”

Medusa attackers deploy malicious scripts, attempt to disable security software, and sometimes using advanced techniques such as Bring Your Own Vulnerable Driver (BYOVD) attacks. At the same time, they often force systems to reboot into Safe Mode to bypass endpoint protections. “They also commonly delete volume shadow copies and security logs to hinder recovery and forensic analysis,” Armis head of threat intelligence, Michael Freeman, tells Assured Intelligence.

Mitigating Medusa

The risk from Medusa is growing as the operation evolves and becomes more sophisticated. But there are steps security leaders can take to block and mitigate the threat.

As Medusa fills the gap left by ransomware outfits such as LockBit and BlackCat, CISOs can expect to see more of the same. Aggressive, financially motivated attacks are likely, says Acronis’ Beuchelt. Taking this into account, basic security hygiene is essential, he says.

“Aggressive, financially motivated attacks are likely” Gerald Beuchelt

CISA and its partners have issued some clear guidelines in their alert. First, they highlight the importance of mitigating known vulnerabilities by ensuring operating systems, software and firmware are patched and up to date within a risk-informed time span.

Addressing vulnerabilities as they are discovered is particularly important for internet-exposed devices, says FTI Consulting’s Harrison. “Implement strong password policies, enable multi-factor authentication where possible, and minimise the attack surface by reducing the number of assets accessible from the internet,” he adds.

Organisations should also maintain offline and immutable backups to restore operations without needing to pay a ransom, Harrison says. This is especially important as the UK government considers a ban on paying ransoms for firms in the CNI and public sectors.

It’s also a good idea to segment networks in order to restrict lateral movement from initial infected devices. CISA advises filtering network traffic by preventing “unknown or untrusted origins” from accessing remote services on internal systems. At the same time, staff training is key to prevent employees from mistakenly introducing malware by clicking on email links. Harrison emphasises the need for a multi-layered security approach, educating staff on recognising phishing emails and social engineering tactics.

Medusa is particularly dangerous because it is so stealthily. Mitigating the threat requires early identification and swift action to prevent extensive damage and data loss, concludes Armis’ Freeman.

“Medusa uses sophisticated evasion techniques and attempts to erase forensic evidence, so rapid response is critical.”