Credential Theft
- Mimikatz
Medusa is a financially motivated ransomware-as-a-service operation active since at least 2021 that conducts double-extortion attacks against organizations in healthcare, education, manufacturing, legal, insurance, technology, and other critical sectors.
Profile source: Mallory opens in a new tabMedusa
Medusa is a financially motivated ransomware-as-a-service operation active since at least 2021 that conducts double-extortion attacks against organizations in healthcare, education, manufacturing, legal, insurance, technology, and other critical sectors. It is distinct from MedusaLocker, the Android banking trojan also called Medusa, and the open-source Linux rootkit of the same name. Medusa has been linked to hundreds of victims and typically combines data theft with file encryption and threats to publish stolen information on a leak site.
Medusa commonly gains initial access through purchased footholds from initial access brokers, credential-phishing, and exploitation of vulnerable public-facing services. Reported intrusion paths include exploitation of FortiClient EMS CVE-2023-48788, ScreenConnect CVE-2024-1709, and SimpleHelp vulnerabilities including CVE-2024-57727 and CVE-2024-57728. After compromise, operators use PowerShell, WMI, RDP, remote-management software, and administrative tooling for execution, persistence, discovery, and lateral movement. Observed tooling includes abuse of legitimate remote access and deployment utilities as well as PsExec and Cobalt Strike.
A defining feature of Medusa intrusions is aggressive defense evasion. Operators have used bring-your-own-vulnerable-driver techniques and the ABYSSWORKER malicious driver to disable or impair endpoint security products. They have also been observed clearing PowerShell history, terminating services, and deleting shadow copies to hinder recovery and investigation. Medusa stages and exfiltrates sensitive data before encryption, including use of common exfiltration tooling, then deploys its encryptor and ransom note as part of a centrally managed extortion workflow.
Medusa primarily targets Windows enterprise environments and has historically focused on vulnerable internet-facing infrastructure as an entry point. The operation follows the broader RaaS model in which core developers maintain the malware and extortion infrastructure while affiliates or partners conduct intrusions, although ransom negotiations are reported to remain centrally controlled. Overall, Medusa is a mature criminal ransomware operation characterized by opportunistic access methods, strong emphasis on defense impairment, lateral movement through legitimate administration channels, and double-extortion monetization.
Ransomware.live
Ransomware.live
https://t.me/+yXOcSjVjI9tjM2E0983a20479a281a182d33b75c0945e4474fe99e5dc101170750d8ece6ea066155dc344328208c3481587d0aab1005fcdd10911494fa52daee0279972f91fded0124ccd142ff83e8622f00f5443ea5cb2da6980e543efa40771ed1dcf84b29d732a162a5c5ab72b3783215f52b9edc3680600371ebab1e29429f06a5b1909056e50067679c7033139bcbb273840494b324602d720f1184d2ad739568cbf64033314AE245548F2A225882951FB14E9BF87EE01A0C10AE159B99D1EA62620D91A372205227254A9F061AA6BDE8F6DE6C92F0D6E077359BF6911FCAF80030E82B3A3DB65E63C8011343D34F956FECAEA72DFCF492037A6D15755A74645C7D8E674E342BACA9F9070A3FB74117EC3143FD6E29BEACmedusa.support@onionmail.orgMedusaSupport@cock.liReported operators
Since 6 February 2025, S-RM has responded to several incidents involving the ransomware group Medusa, where this group has exploited SimpleHelp vulnerabilities to gain initial access to victims’ infrastructure.
Researchers observed the group deploying Linux rootkits, including REPTILE and MEDUSA, after exploiting vCenter and ESXi vulnerabilities.
North Korea's Lazarus Group targets healthcare orgs with Medusa ransomware
The Medusa ransomware activity, executed by the threat actor group Storm-1175, demonstrates a decisive shift toward exploit-centric, high-velocity intrusion models.
Essentially, OrBit is built from Medusa, an open-source LD_PRELOAD rootkit published on GitHub in December 2022.
Hastalamuerte was an experienced affiliate who had previously worked with Embargo, LockBit, and Medusa before joining Qilin.
Sample 1 ( gaze.exe ) is a fully functional Medusa ransomware binary whose XOR-encoded config (key 0x2E ) yields four Tor .onion C2 addresses, a victim-specific negotiation endpoint, and a kill list targeting 50+ enterprise security and backup services.
Sample 1 ( gaze.exe ) is a fully functional Medusa ransomware binary whose XOR-encoded config (key 0x2E ) yields four Tor .onion C2 addresses, a victim-specific negotiation endpoint, and a kill list targeting 50+ enterprise security and backup services.
Sample 1 ( gaze.exe ) is a fully functional Medusa ransomware binary whose XOR-encoded config (key 0x2E ) yields four Tor .onion C2 addresses, a victim-specific negotiation endpoint, and a kill list targeting 50+ enterprise security and backup services.
Windows System Network Config Discovery Display DNS ... Medusa Ransomware, Windows Post-Exploitation, Prestige Ransomware, Water Gamayun
North Korean state-backed attackers are now using the Medusa ransomware... Medusa, which is operated by the Spearwing cybercrime group, was launched in 2023 and is run as a ransomware-as-a-service.
The North Korea-linked Lazarus Group (aka Diamond Sleet and Pompilus) has been observed using Medusa ransomware in an attack targeting an unnamed entity in the Middle East.
Exploited software
MITRE ATT&CK
Reporting
Medusa is a ransomware-as-a-service operation that has hit 300+ organisations across healthcare, education, manufacturing and other critical sectors. It buys its way in, disables endpoint defenses with a bring-your-own-vulnerable-driver attack, steals data, and then encrypts with the .medusa extension and a public leak blog.
Medusa4
The biggest drainers active in 2024 had names like Angel, Inferno, Ping, Ace, Cerberus, Nova, Medusa, MS, CryptoGrab, and Venom.
In the Huntress 2026 Cyber Threat Report, four groups—Akira, Medusa, Qilin, and Ransomhub—accounted for over half of observed ransomware incidents...
hastalamuerte also carries prior experience with LockBit, Embargo, and Medusa, but the documented split is from Qilin.
The financially motivated threat group initially operated as an affiliate responsible for conducting double extortion attacks, while leveraging resources from various ransomware-as-a-service (RaaS) schemes like LockBit (aka Tenacious Mantis), Qilin (aka Pestilent Mantis), and Medusa (aka Venomous Mantis).
Из переписки видно, что разработчики The Gentlemen систематически реверсят семплы Babuk, Qilin, LockBit 5.0 и Medusa, вытаскивая шифровальные рутины, техники обфускации и методы обхода EDR.
The encryptor and locker binaries were partially reverse-engineered from source code and samples of Babuk, Qilin, LockBit 5.0, and Medusa before the custom Go implementation was developed.
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.