Today, a joint advisory was released regarding the tactics, techniques, procedures (TTPs), and indicators of compromise (IOCs) associated with Medusa ransomware. This advisory was issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). As of February 2025, Medusa developers and their affiliates have impacted over 300 victims across diverse critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing. Notably, the electric, water, and oil and gas sectors have not been mentioned as affected.
The top three recommended actions for mitigation include:
More mitigation strategies can be found at the end of this post.
What is Medusa Ransomware?
Medusa Ransomware is a type of ransomware-as-a-service (RaaS) that has been active since 2021. It initially operated under central control by its developers but has since adopted an affiliate model, though key operations like ransom negotiations are still centrally managed. Medusa actors use a double extortion tactic, encrypting victim data and threatening to release it publicly if a ransom is not paid.
How Do Medusa Actors Operate and Infiltrate Critical Infrastructure?
Medusa ransomware actors, including developers and affiliates, employ a combination of initial access brokers and sophisticated techniques to penetrate critical infrastructure. They primarily gain initial access through phishing campaigns and by exploiting unpatched software vulnerabilities. After access is secured, Medusa actors employ living off the land (LOTL) techniques using legitimate tools like Advanced IP Scanner, SoftPerfect Network Scanner, PowerShell, and Windows Command Prompt for network and system enumeration. They also use remote access software to blend into the existing environment and evade detection.
For lateral movement and further infiltration, Medusa actors utilize tools like Remote Desktop Protocol (RDP), PsExec, and other command and control (C2) methods. They install Rclone for data exfiltration and use encryptors like gaze.exe to lock files with AES-256 encryption, changing their extensions to .medusa. They disable security measures, delete backup data, and then demand ransoms via secure channels, threatening to release stolen data if not paid.
Medusa employs a double, and potentially triple, extortion model. Victims are pressured to pay to decrypt files and stop the release of their data. Failure to comply leads to direct outreach from Medusa actors and further threats, including additional ransom demands for the decryptor.
For more detailed information and mitigation strategies, refer to the full advisory.
How Can You Improve Cybersecurity Posture Against Medusa Threat Actors?
To combat the sophisticated tactics of Medusa ransomware actors, the FBI, CISA, and MS-ISAC have issued recommendations aligned with the Cross-Sector Cybersecurity Performance Goals (CPGs). Here are the key strategies organizations should implement to enhance their cybersecurity defenses:
A platform like the Industrial Defender Platform can be instrumental in bolstering cybersecurity defenses, particularly through its OT asset management capabilities that enhance the understanding of system states. This allows for effective assessment and implementation of necessary controls. It is equipped to monitor for unusual changes that could indicate a breach or malicious activity within the network. This includes the detection of new user accounts, changes in user permissions, anomalous traffic patterns, suspicious login behaviors and more.
This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Learn more here: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a.