Joint Advisory: Medusa Ransomware Impacted 300 Critical Infrastructure Victims

Today, a joint advisory was released regarding the tactics, techniques, procedures (TTPs), and indicators of compromise (IOCs) associated with Medusa ransomware. This advisory was issued by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). As of February 2025, Medusa developers and their affiliates have impacted over 300 victims across diverse critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing. Notably, the electric, water, and oil and gas sectors have not been mentioned as affected.

The top three recommended actions for mitigation include:

1. Mitigate Known Vulnerabilities: Ensure that operating systems, software, and firmware are patched and up to date within a risk-informed timeframe.
2. Network Segmentation: Restrict lateral movement by segmenting networks. This prevents the spread from initially infected devices to other devices within the same organization.
3. Filter Network Traffic: Block access to remote services on internal systems from unknown or untrusted origins.

More mitigation strategies can be found at the end of this post.

What is Medusa Ransomware?

Medusa Ransomware is a type of ransomware-as-a-service (RaaS) that has been active since 2021. It initially operated under central control by its developers but has since adopted an affiliate model, though key operations like ransom negotiations are still centrally managed. Medusa actors use a double extortion tactic, encrypting victim data and threatening to release it publicly if a ransom is not paid.

How Do Medusa Actors Operate and Infiltrate Critical Infrastructure?

Medusa ransomware actors, including developers and affiliates, employ a combination of initial access brokers and sophisticated techniques to penetrate critical infrastructure. They primarily gain initial access through phishing campaigns and by exploiting unpatched software vulnerabilities. After access is secured, Medusa actors employ living off the land (LOTL) techniques using legitimate tools like Advanced IP Scanner, SoftPerfect Network Scanner, PowerShell, and Windows Command Prompt for network and system enumeration. They also use remote access software to blend into the existing environment and evade detection.

For lateral movement and further infiltration, Medusa actors utilize tools like Remote Desktop Protocol (RDP), PsExec, and other command and control (C2) methods. They install Rclone for data exfiltration and use encryptors like gaze.exe to lock files with AES-256 encryption, changing their extensions to .medusa. They disable security measures, delete backup data, and then demand ransoms via secure channels, threatening to release stolen data if not paid.

Medusa employs a double, and potentially triple, extortion model. Victims are pressured to pay to decrypt files and stop the release of their data. Failure to comply leads to direct outreach from Medusa actors and further threats, including additional ransom demands for the decryptor.

For more detailed information and mitigation strategies, refer to the full advisory.

How Can You Improve Cybersecurity Posture Against Medusa Threat Actors?

To combat the sophisticated tactics of Medusa ransomware actors, the FBI, CISA, and MS-ISAC have issued recommendations aligned with the Cross-Sector Cybersecurity Performance Goals (CPGs). Here are the key strategies organizations should implement to enhance their cybersecurity defenses:

1. Data Recovery and Backup
   
   • "Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud)" [CPG 2.F, 2.R, 2.S].
2. Password and Authentication Management
   
   • "Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring frequently recurring password changes, as these can weaken security" [CPG 2.C].
   • "Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems" [CPG 2.H].
3. System and Software Updates
   
   • "Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems" [CPG 1.E].
4. Network Segmentation and Monitoring
   
   • "Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement" [CPG 2.F].
   • "Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host" [CPG 3.A].
5. Remote Access and Traffic Filtering
   
   • "Require VPNs or Jump Hosts for remote access."
   • "Monitor for unauthorized scanning and access attempts."
   • "Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence."
6. Privilege and Access Management
   
   • "Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege" [CPG 2.E].
   • "Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts" [CPG 1.A, 2.O].
   • "Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally" [CPG 2.E, 2.N].
7. Backup Security
   
   • "Maintain offline backups of data, and regularly maintain backup and restoration" [CPG 2.R].
   • "Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure" [CPG 2.K, 2.L, 2.R].

A platform like the Industrial Defender Platform can be instrumental in bolstering cybersecurity defenses, particularly through its OT asset management capabilities that enhance the understanding of system states. This allows for effective assessment and implementation of necessary controls. It is equipped to monitor for unusual changes that could indicate a breach or malicious activity within the network. This includes the detection of new user accounts, changes in user permissions, anomalous traffic patterns, suspicious login behaviors and more.

This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Learn more here: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a.