Introduction
Ransomware remains one of the biggest threats in cybersecurity, and Medusa ransomware has quickly gained notoriety. First identified in June 2021, Medusa operates as a Ransomware-as-a-Service (RaaS), allowing cybercriminals (affiliates) to conduct attacks on organizations across different industries.
In February 2025, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a warning that Medusa had already affected over 300 critical infrastructure organizations in the U.S. The most impacted sectors include healthcare, education, legal, insurance, technology, and manufacturing.
Here we explain how Medusa ransomware works, how it spreads, and most importantly, how organizations can protect themselves from this growing threat.
How Medusa Ransomware Works
Medusa is a double-extortion ransomware, meaning attackers not only encrypt a victim’s files but also steal sensitive data. If the ransom is not paid, the attackers threaten to leak the stolen data publicly.
Attack Methodology
- Initial Access
- Exploits unpatched vulnerabilities in public-facing services.
- Uses compromised credentials to access systems via Remote Desktop Protocol (RDP).
- Some attacks originate through supply chain compromises.
 
- Spreading & Hiding in the System
- Deploys PowerShell scripts and webshells to maintain access.
- Uses kernel drivers to avoid detection.
- Employs obfuscation techniques to bypass security software.
 
- Reconnaissance & Execution
- Uses tools like SoftPerfect Network Scanner for lateral movement.
- Executes an AES256 + RSA encryption mechanism to lock files.
- Drops a ransom note named !!!READ_ME_MEDUSA!!!.txt.
 
- Data Theft & Ransom Demands
- Stolen data is published on the Medusa Tor leak site.
- Attackers set ransom payment deadlines and charge extra fees for deadline extensions.
 
Indicators of Compromise (IOCs)
Security teams should monitor for the following Medusa-specific IOCs:
- Encrypted File Extension:
.MEDUSA 
- Ransom Note Name:
!!!READ_ME_MEDUSA!!!.txt 
- Detection Names:
- 
Avast: Win32:RansomX-gen [Ransom] 
- 
Kaspersky: Trojan.Win32.AntiAV.dadw 
- 
Malwarebytes: Ransom.Medusa 
- 
Command and Control (C2) Domain: medusacegu2ufmc3kx2kkqicrlcxdettsjcenhjena6uannk5f4ffuyd[.]onion 
 
- 
Real-World Attacks by Medusa
Several major organizations have fallen victim to Medusa ransomware:
1. Toyota Financial Services (TFS) Breach (November 2023)
- Medusa targeted Toyota’s European and African operations, demanding an $8 million ransom.
- Attackers exploited an unpatched Citrix Gateway vulnerability to gain access.
2. Minneapolis Public Schools (MPS) Attack (February 2023)
- Medusa exfiltrated 100GB of student and faculty data.
- MPS refused to pay the $1 million ransom, so the stolen data was leaked publicly.
3. Philippine Health Insurance Corporation (PhilHealth) Breach (Sep 2023)
- Medusa stole 750GB of sensitive data.
- The breach occurred due to expired antivirus software, delaying detection and response.
How Others Encountered Medusa Ransomware
One of the organizations first detected Medusa ransomware in December 2024 through our SIEM/SOC/MDR operations. While initially flagged as a behavior anomaly, deeper analysis revealed suspicious activity.
Key Observations from their Investigation:
- Behavioral Detection Flagged It First
- No security vendor initially detected it.
- Behavioral analytics tipped us off to unusual activities.
 
- Antimalware Software Failed to Detect Medusa
- Despite having a fully licensed, enterprise-grade security solution, Medusa remained undetected.
- The security vendor only started detecting it six weeks later—after the organization reported the attack.
 
- Threat Intelligence Collaboration Led to Detection Improvements
- The organization shared its findings with security vendors, including VirusTotal.
- Within two weeks, detection capabilities improved, helping other companies identify Medusa earlier.
 
- Stealthy Execution Techniques
- Medusa was wrapped in multiple evasion layers, making initial identification difficult.
- Once these layers were bypassed, security analysts confirmed it was Medusa ransomware.
 
Key Lessons Learned:
- SIEM/SOC is Essential: Security monitoring tools detected Medusa when traditional antivirus solutions failed.
- Don’t Rely Solely on Antivirus: Even enterprise-grade solutions may miss new ransomware variants.
- Incident Response Training is Crucial: Employees must be trained to recognize, report, and escalate anomalies to prevent widespread damage.
How to Protect Your Organization from Medusa Ransomware
1. Deploy Advanced Endpoint Security
- Use endpoint detection & response (EDR) solutions like CrowdStrike, SentinelOne, Microsoft Defender, Cynet 360, etc. to detect behavioral anomalies.
- Deploy MDM for real-time patch management on endpoints.
2. Enforce Strict Access Controls
- Enable Multi-Factor Authentication (MFA) on all accounts.
- Implement role-based access control (RBAC) to limit user privileges.
3. Keep Systems Updated
- Regularly apply security patches to OS, applications, and software.
- Perform frequent vulnerability scans and patch them.
- Make use of IDS and patch management tools.
4. Train Employees on Phishing & Social Engineering
- Conduct cybersecurity awareness training to help employees recognize phishing emails.
- Implement email filtering solutions to block malicious emails.
5. Implement Network Segmentation
- Restrict lateral movement by isolating critical assets.
- Restrict access to internal networks by blocking untrusted IPs.
6. Maintain Secure Backups
- Follow the 3-2-1 backup strategy:
- 3 copies of your data,
- 2 different storage types,
- 1 offsite backup.
 
7. Monitor for Indicators of Compromise (IOCs)
- Regularly scan logs for unusual activity.
- Subscribe to Threat Intelligence feeds for real-time updates.
8. Develop an Incident Response Plan
- Create a ransomware response plan and test it regularly.
- Ensure disaster recovery procedures are well-documented.
Conclusion
Medusa ransomware continues to evolve, targeting organizations worldwide with its double extortion tactics. As seen in real-world attacks, it can bypass traditional antivirus solutions, making behavioral monitoring and proactive threat hunting essential.
By implementing strong security measures like SIEM/SOC, EDR solutions, network segmentation, and employee training, organizations can mitigate the risk of falling victim to Medusa.
Ransomware is not just a technical issue—it’s business continuity and reputational risk. The best defense is prevention, early detection, and a well-prepared incident response strategy.

 
								 
								 
															 
															 
															