MEDUSA
MEDUSA is primarily focused on targeting Managed Service Providers (MSPs) and their associated Remote Management and Monitoring (RMM) solutions, exploiting vulnerabilities within these systems to gain initial access. The group leverages phishing tactics such as T1566 Phishing to deliver malware like Advanced IP Scanner and AnyDesk, which are commonly used for remote administration. Once inside the network, MEDUSA employs a range of sophisticated techniques including lateral movement with Windows Management Instrumentation (WMI) and credential harvesting via Valid Accounts (T1078). They typically engage in double extortion by exfiltrating data before encrypting it to maximize their leverage over victims.
From a technical standpoint, MEDUSA exploits critical vulnerabilities such as CVE-2024-57727 within RMM solutions like SimpleHelp, indicating a preference for targeting software with high privilege access. The group's use of tools like Cloudflared and Ligolo suggests an advanced understanding of network infrastructure and evasion techniques. Defenders should prioritize patching critical vulnerabilities in RMM products and enhancing phishing detection mechanisms to mitigate the risk posed by MEDUSA’s sophisticated attack vectors.
CISA Intelligence #StopRansomware
#StopRansomware: Medusa Ransomware · 2025-03-12
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Medusa ransomware TTPs and IOCs, identified through FBI investigations as recently as February 2025.
Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing. The Medusa ransomware variant is unrelated to the MedusaLocker variant and the Medusa mobile malware variant per the FBI’s investigation.
FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents.
Download the PDF version of this report:
The RaaS Medusa variant has been used to conduct ransomware attacks from 2021 to present. Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors. While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers. Both Medusa developers and affiliates—referred to as “Medusa actors” in this advisory—employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.
#StopRansomware: MedusaLocker · 2022-08-11
Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue
Close Topics Topics Cybersecurity Best Practices Cyber Threats and Response Critical Infrastructure Security and Resilience Election Security Emergency Communications Industrial Control Systems Information and Communications Technology Supply Chain Security Partnerships and Collaboration Physical Security Risk Management How can we help? GovernmentEducational InstitutionsIndustryState, Local, Tribal, and TerritorialIndividuals and FamiliesSmall and Medium BusinessesFind Help LocallyFaith-Based CommunityExecutivesHigh-Risk Communities Spotlight Resources & Tools Resources & Tools All Resources & Tools Services Programs Resources Training Groups News & Events News & Events Directives News Events Cybersecurity Alerts & Advisories Request a CISA Speaker Congressional Testimony CISA Conferences CISA Live! Careers Careers Benefits & Perks Hiring and Recruitment New Employee Orientation & Onboarding Students & Recent Graduates Veteran and Military Spouses About About Divisions & Offices Regions Leadership Doing Business with CISA Site Links CISA GitHub CISA Central Contact Us Subscribe Transparency and Accountability Policies & Plans Staying Secure at Eventsno-cost Cyber ServicesSecure by design Secure Your BusinessReport A Cyber Issue
Actions to take today to mitigate cyber threats from ransomware:• Prioritize remediating known exploited vulnerabilities.• Train users to recognize and report phishing attempts.• Enable and enforce multifactor authentication.
Confirmed CVEs (1)
Exploited by this group as confirmed by threat intelligence sources.
Predicted CVEs (8) CORRELATION
How does prediction work?
Predicted CVEs are identified through automated correlation using multiple sources: vendor/product profiles historically targeted by the group (MITRE ATT&CK), attack chain patterns (KEV + TTPs), threat intelligence (MISP, STIX), and AI analysis. These CVEs have not been confirmed as exploited by this specific group, but have a high probability of being targets based on the actor's operational profile.