Skip to content
Ransomware group Windows

Medusa

Medusa is a financially motivated ransomware-as-a-service operation active since at least 2021 that conducts double-extortion attacks against organizations in healthcare, education, manufacturing, legal, insurance, technology, and other critical sectors.

Profile source: Mallory opens in a new tab

Medusa

Family profile

Medusa is a financially motivated ransomware-as-a-service operation active since at least 2021 that conducts double-extortion attacks against organizations in healthcare, education, manufacturing, legal, insurance, technology, and other critical sectors. It is distinct from MedusaLocker, the Android banking trojan also called Medusa, and the open-source Linux rootkit of the same name. Medusa has been linked to hundreds of victims and typically combines data theft with file encryption and threats to publish stolen information on a leak site.

Medusa commonly gains initial access through purchased footholds from initial access brokers, credential-phishing, and exploitation of vulnerable public-facing services. Reported intrusion paths include exploitation of FortiClient EMS CVE-2023-48788, ScreenConnect CVE-2024-1709, and SimpleHelp vulnerabilities including CVE-2024-57727 and CVE-2024-57728. After compromise, operators use PowerShell, WMI, RDP, remote-management software, and administrative tooling for execution, persistence, discovery, and lateral movement. Observed tooling includes abuse of legitimate remote access and deployment utilities as well as PsExec and Cobalt Strike.

A defining feature of Medusa intrusions is aggressive defense evasion. Operators have used bring-your-own-vulnerable-driver techniques and the ABYSSWORKER malicious driver to disable or impair endpoint security products. They have also been observed clearing PowerShell history, terminating services, and deleting shadow copies to hinder recovery and investigation. Medusa stages and exfiltrates sensitive data before encryption, including use of common exfiltration tooling, then deploys its encryptor and ransom note as part of a centrally managed extortion workflow.

Medusa primarily targets Windows enterprise environments and has historically focused on vulnerable internet-facing infrastructure as an entry point. The operation follows the broader RaaS model in which core developers maintain the malware and extortion infrastructure while affiliates or partners conduct intrusions, although ransom negotiations are reported to remain centrally controlled. Overall, Medusa is a mature criminal ransomware operation characterized by opportunistic access methods, strong emphasis on defense impairment, lateral movement through legitimate administration channels, and double-extortion monetization.

Capabilities

  • Byovd
  • Defense Evasion
  • Exfiltration
  • Extortion
  • Initial Access
  • Lateral Movement
  • Post Exploitation
  • Scanning

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • Mimikatz

Defense Evasion

  • EDRSandBlast
  • KillAV
  • ThrottleStop driver

Discovery Enum

  • Advanced IP Scanner
  • Navicat
  • PDQ Inventory
  • RoboCopy
  • SoftPerfect NetScan

Exfiltration

  • RClone

LOLBAS

  • BITSAdmin
  • Process Explorer
  • PsExec

Networking

  • Cloudflared
  • FRP
  • Ligolo
  • PuTTY
  • RevSocks

RMM Tools

  • AnyDesk
  • Atera
  • HCL BigFix
  • N-Able
  • PDQ Deploy
  • ScreenConnect
  • SimpleHelp
  • Splashtop
  • eHorus

Ransomware.live

Published indicators

Full source record ↗

Telegram

1 total
  • https://t.me/+yXOcSjVjI9tjM2E0

Md5

18 total
  • 983a20479a281a182d33b75c0945e447
  • 4fe99e5dc101170750d8ece6ea066155
  • dc344328208c3481587d0aab1005fcdd
  • 10911494fa52daee0279972f91fded01
  • 24ccd142ff83e8622f00f5443ea5cb2d
  • a6980e543efa40771ed1dcf84b29d732
  • a162a5c5ab72b3783215f52b9edc3680
  • 600371ebab1e29429f06a5b1909056e5
  • 0067679c7033139bcbb273840494b324
  • 602d720f1184d2ad739568cbf6403331

Tox

3 total
  • 4AE245548F2A225882951FB14E9BF87EE01A0C10AE159B99D1EA62620D91A372205227254A9F
  • 061AA6BDE8F6DE6C92F0D6E077359BF6911FCAF80030E82B3A3DB65E63C8011343D34F956FEC
  • AEA72DFCF492037A6D15755A74645C7D8E674E342BACA9F9070A3FB74117EC3143FD6E29BEAC

Email

2 total
  • medusa.support@onionmail.org
  • MedusaSupport@cock.li

Reported operators

Threat actors

12 named in public reporting
Medusa Group

Since 6 February 2025, S-RM has responded to several incidents involving the ransomware group Medusa, where this group has exploited SimpleHelp vulnerabilities to gain initial access to victims’ infrastructure.

UNC3886

Researchers observed the group deploying Linux rootkits, including REPTILE and MEDUSA, after exploiting vCenter and ESXi vulnerabilities.

Lazarus

North Korea's Lazarus Group targets healthcare orgs with Medusa ransomware

Storm-1175

The Medusa ransomware activity, executed by the threat actor group Storm-1175, demonstrates a decisive shift toward exploit-centric, high-velocity intrusion models.

Blockade Spider

Essentially, OrBit is built from Medusa, an open-source LD_PRELOAD rootkit published on GitHub in December 2022.

Hastalamuerte

Hastalamuerte was an experienced affiliate who had previously worked with Embargo, LockBit, and Medusa before joining Qilin.

Andariel

Sample 1 ( gaze.exe ) is a fully functional Medusa ransomware binary whose XOR-encoded config (key 0x2E ) yields four Tor .onion C2 addresses, a victim-specific negotiation endpoint, and a kill list targeting 50+ enterprise security and backup services.

APT38

Sample 1 ( gaze.exe ) is a fully functional Medusa ransomware binary whose XOR-encoded config (key 0x2E ) yields four Tor .onion C2 addresses, a victim-specific negotiation endpoint, and a kill list targeting 50+ enterprise security and backup services.

Spearwing

Sample 1 ( gaze.exe ) is a fully functional Medusa ransomware binary whose XOR-encoded config (key 0x2E ) yields four Tor .onion C2 addresses, a victim-specific negotiation endpoint, and a kill list targeting 50+ enterprise security and backup services.

EncryptHub

Windows System Network Config Discovery Display DNS ... Medusa Ransomware, Windows Post-Exploitation, Prestige Ransomware, Water Gamayun

Contagious Interview

North Korean state-backed attackers are now using the Medusa ransomware... Medusa, which is operated by the Spearwing cybercrime group, was launched in 2023 and is run as a ransomware-as-a-service.

Pompilus

The North Korea-linked Lazarus Group (aka Diamond Sleet and Pompilus) has been observed using Medusa ransomware in an attack targeting an unnamed entity in the Middle East.

Exploited software

Vulnerabilities linked to Medusa

23 CVEs
CVE-2023-48788 SQL Injection Leading to RCE in Fortinet FortiClient EMS CVE-2024-1709 Authentication Bypass in ConnectWise ScreenConnect CVE-2024-57728 SimpleHelp Zip Slip Arbitrary File Upload Leading to RCE CVE-2024-57727 Unauthenticated Path Traversal in SimpleHelp CVE-2024-57726 SimpleHelp Missing Authorization Privilege Escalation CVE-2024-1708 ConnectWise ScreenConnect Path Traversal Vulnerability CVE-2024-37085 VMware ESXi Active Directory Integration Authentication Bypass CVE-2023-21529 Microsoft Exchange Server Deserialization of Untrusted Data RCE CVE-2023-0669 Pre-authentication RCE in Fortra GoAnywhere MFT License Response Servlet CVE-2025-31324 Unauthenticated Arbitrary File Upload in SAP NetWeaver Visual Composer Metadata Uploader CVE-2026-1731 Pre-auth OS Command Injection RCE in BeyondTrust Remote Support and Privileged Remote Access CVE-2025-10035 Unsafe deserialization RCE in Fortra GoAnywhere MFT License Servlet CVE-2025-31161 CrushFTP AWS4-HMAC Authentication Bypass CVE-2024-27198 Authentication Bypass in JetBrains TeamCity On-Premises CVE-2026-23760 Authentication Bypass in SmarterTools SmarterMail Password Reset API CVE-2023-27351 Authentication Bypass in PaperCut NG/MF SecurityRequestFilter CVE-2024-27199 JetBrains TeamCity Relative Path Traversal Authentication Bypass CVE-2025-52691 Unauthenticated arbitrary file upload RCE in SmarterTools SmarterMail CVE-2024-21887 Command Injection in Ivanti Connect Secure and Policy Secure CVE-2023-46805 Authentication Bypass in Ivanti Connect Secure and Policy Secure Web Component CVE-2023-27350 Unauthenticated RCE in PaperCut MF/NG SetupCompleted CVE-2022-41082 ProxyNotShell RCE in Microsoft Exchange Server CVE-2022-41080 OWASSRF in Microsoft Exchange Server

MITRE ATT&CK

Medusa in ATT&CK

99 distinct techniques

Techniques

99 techniques
T1486 Data Encrypted for Impact T1490 Inhibit System Recovery T1133 External Remote Services T1489 Service Stop T1566 Phishing T1110 Brute Force T1562.001 Disable or Modify Tools T1574.006 Dynamic Linker Hijacking T1106 Native API T1556.003 Pluggable Authentication Modules T1027 Obfuscated Files or Information T1564 Hide Artifacts T1014 Rootkit T1190 Exploit Public-Facing Application T1059.001 PowerShell T1110.003 Password Spraying T1567 Exfiltration Over Web Service T1110.001 Password Guessing T1070 Indicator Removal T1564.009 Resource Forking T1021.004 SSH T1057 Process Discovery T1556 Modify Authentication Process T1059.003 Windows Command Shell T1056.004 Credential API Hooking T1564.001 Hidden Files and Directories T1622 Debugger Evasion T1136 Create Account T1082 System Information Discovery T1070.004 File Deletion T1140 Deobfuscate/Decode Files or Information T1547 Boot or Logon Autostart Execution T1562 Impair Defenses T1649 Steal or Forge Authentication Certificates T1036 Masquerading T1546.008 Accessibility Features T1568 Dynamic Resolution T1056.001 Keylogging T1113 Screen Capture T1040 Network Sniffing T1006 Direct Volume Access T1078 Valid Accounts T1203 Exploitation for Client Execution T1210 Exploitation of Remote Services T1537 Transfer Data to Cloud Account T1041 Exfiltration Over C2 Channel T1021.001 Remote Desktop Protocol T1548.002 Bypass User Account Control T1003 OS Credential Dumping T1547.001 Registry Run Keys / Startup Folder T1135 Network Share Discovery T1497 Virtualization/Sandbox Evasion T1112 Modify Registry T1570 Lateral Tool Transfer T1484.001 Group Policy Modification T1505.003 Web Shell T1567.002 Exfiltration to Cloud Storage T1560 Archive Collected Data T1562.004 Disable or Modify System Firewall T1021 Remote Services T1219 Remote Access Tools T1589 Gather Victim Identity Information T1021.002 SMB/Windows Admin Shares T1595 Active Scanning T1543.003 Windows Service T1564.003 Hidden Window T1218.007 Msiexec T1007 System Service Discovery T1046 Network Service Discovery T1098.004 SSH Authorized Keys T1569.002 Service Execution T1047 Windows Management Instrumentation T1053 Scheduled Task/Job T1657 Financial Theft T1588.001 Malware T1018 Remote System Discovery T1016 System Network Configuration Discovery T1485 Data Destruction T1020 Automated Exfiltration T1213 Data from Information Repositories T1518.002 Backup Software Discovery T1679 Selective Exclusion T1124 System Time Discovery T1518.001 Security Software Discovery T1027.013 Encrypted/Encoded File T1680 Local Storage Discovery T1083 File and Directory Discovery T1563.001 SSH Hijacking T1559 Inter-Process Communication T1071 Application Layer Protocol T1003.003 NTDS T1005 Data from Local System T1555.003 Credentials from Web Browsers T1105 Ingress Tool Transfer T1090 Proxy T1059 Command and Scripting Interpreter T1562.009 Safe Mode Boot T1045 Exfiltration Over C2 Channel T1048 Exfiltration Over Alternative Protocol

Reporting

Research mentioning Medusa

Jul 15
Alpha Cyber

Medusa Ransomware: The RaaS That Blinds Your EDR Before It Encrypts - Alpha Cyber

Medusa is a ransomware-as-a-service operation that has hit 300+ organisations across healthcare, education, manufacturing and other critical sectors. It buys its way in, disables endpoint defenses with a bring-your-own-vulnerable-driver attack, steals data, and then encrypts with the .medusa extension and a public leak blog.

Jul 14
Gurucul Threat Research

ClickFix: Exploiting Compromised WordPress Sites with a Polygon-Based C2 Infrastructure | Community Portal | Gurucul

Medusa4

Jul 7
Hackers Arise

Cryptocurrency Drainers: How Hackers Steal Cryptocurrency - Hackers Arise

The biggest drainers active in 2024 had names like Angel, Inferno, Ping, Ace, Cerberus, Nova, Medusa, MS, CryptoGrab, and Venom.

Jul 1
Huntress

How the RaaS Business Model Actually Works | Huntress

In the Huntress 2026 Cyber Threat Report, four groups—Akira, Medusa, Qilin, and Ransomhub—accounted for over half of observed ransomware incidents...

Jun 12
Flareio

Ransomware-as-a-Service: LockBit Alumni Launch Competing Programs as E

hastalamuerte also carries prior experience with LockBit, Embargo, and Medusa, but the documented split is from Qilin.

Jun 11
The Hacker News

The Gentlemen Ransomware Claims 478 Victims, Can Spread Like a Worm

The financially motivated threat group initially operated as an affiliate responsible for conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis).

Jun 6
Codeby

Анализ ransomware The Gentlemen: реверс Go-бинарника Storm-2697

Из переписки видно, что разработчики The Gentlemen систематически реверсят семплы Babuk, Qilin, LockBit 5.0 и Medusa, вытаскивая шифровальные рутины, техники обфускации и методы обхода EDR.

Jun 5
Osint Team

The Gentlemen Ransomware: Threat Profile | by privacyinsightsolutions.com | May, 2026 | OSINT Team

The encryptor and locker binaries were partially reverse-engineered from source code and samples of Babuk, Qilin, LockBit 5.0, and Medusa before the custom Go implementation was developed.

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.