The FBI, CISA, and MS-ISAC have issued a joint cybersecurity advisory warning that the Medusa ransomware-as-a-service (RaaS) variant has compromised over 300 victims across critical infrastructure sectors, including healthcare, education, legal, insurance, technology, and manufacturing.
The advisory, based on investigations conducted as recently as February 2025, details the tactics, techniques, and procedures (TTPs) used by Medusa ransomware operators and provides mitigation recommendations for organizations at risk.
Medusa ransomware threat
Medusa ransomware first emerged in June 2021 as a closed-group operation but has since evolved into an affiliate-based model. While the affiliate system allows multiple actors to deploy the ransomware, Medusa's developers still retain control over key aspects such as ransom negotiations. The group employs a double extortion scheme, where victims face not only data encryption but also the threat of public data leaks if they refuse to pay the ransom.
To gain initial access, Medusa actors collaborate with initial access brokers (IABs), who obtain network access through phishing campaigns or by exploiting unpatched vulnerabilities. According to CISA, the attackers have been observed leveraging:
CVE-2024-1709 – A critical authentication bypass vulnerability in ScreenConnect.
CVE-2023-48788 – An SQL injection flaw in Fortinet EMS.
Once inside a network, Medusa ransomware operators use living-off-the-land (LOTL) techniques to blend in with legitimate activity. Tools such as PowerShell, Windows Command Prompt, Advanced IP Scanner, and SoftPerfect Network Scanner are used to conduct system discovery and lateral movement. Medusa actors also employ remote access tools like AnyDesk, Atera, and ConnectWise to establish persistence and expand their control over compromised environments.
After securing a foothold, Medusa ransomware actors move laterally using Remote Desktop Protocol (RDP) and PsExec, often disabling security solutions to avoid detection. The group has been observed using Mimikatz to extract credentials from the Local Security Authority Subsystem Service (LSASS), enabling further access to high-privilege accounts.
Data exfiltration is conducted using Rclone, a command-line tool that facilitates data transfers to external cloud storage. Once valuable data is stolen, Medusa actors deploy the encryptor gaze.exe, which:
- Encrypts files using AES-256, appending the .medusa extension.
- Terminates services related to backups, security, databases, and communication to maximize disruption.
- Deletes shadow copies to prevent system recovery.
Medusa ransomware operators issue a 48-hour ultimatum, demanding victims engage in negotiations through Tor-based live chat or Tox messenger. If ignored, Medusa actors escalate by directly contacting victims via phone or email. The group also maintains a .onion data leak site, where they list victims and display countdown timers indicating when stolen data will be released.
In a triple extortion case documented by the FBI, a Medusa ransomware victim who had already paid the ransom was contacted by another affiliate claiming that the previous negotiator had stolen the payment. The second affiliate demanded additional payment for the “true” decryption key, illustrating the unreliable nature of ransom payments.
The FBI, CISA, and MS-ISAC discourage ransom payments, as they do not guarantee data recovery and may encourage further attacks. Instead, they urge organizations to report incidents to the FBI's Internet Crime Complaint Center (IC3), local FBI field offices, or CISA's incident reporting system.
Tor Celebrates 300th WebTunnel Bridge Milestone in Fight Against Censorship
Leave a Reply