The Medusa ransomware gang has compromised more than 300 organizations across critical infrastructure sectors, including healthcare, manufacturing, and technology.
A joint cybersecurity advisory from CISA, the FBI, and MS-ISAC revealed that Medusa—distinct from MedusaLocker—has been active since 2021. Initially operating as a closed ransomware group, it later adopted an affiliate model while keeping ransom negotiations under the developers’ control.
Medusa actors leverage a double extortion strategy—encrypting data while threatening to leak stolen files if victims refuse to pay. According to the advisory, attackers gain access through initial access brokers on cybercriminal forums. Once inside, they employ various legitimate tools for lateral movement, including:
- Remote access software: AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop
- Network scanners: Advanced IP Scanner, SoftPerfect Network Scanner
Using Legitimate Tools to Evade Detection
To avoid detection, Medusa relies on Living-off-the-Land (LotL) techniques and sophisticated PowerShell-based attacks. A key method involves “bring your own vulnerable driver” (BYOVD) attacks, where hackers exploit signed or vulnerable drivers to disable endpoint detection and response (EDR) tools.
Recent research by Symantec’s Threat Hunter team showed a 42% rise in Medusa attacks in 2024, with activity continuing to surge in early 2025. Investigators found that Medusa actors frequently deploy:
- AVKill and POORTRY to disable security software
- RClone for data exfiltration
- PsExec for remote command execution
In a January 2025 attack on a healthcare organization, Medusa used AVKill, POORTRY, and an unidentified driver to bypass defenses. After encrypting files, the ransomware executable self-deleted to cover its tracks.
Mitigation Strategies Against Medusa Ransomware
CISA, the FBI, and MS-ISAC recommend several security measures to counter Medusa ransomware, including:
Disabling command-line and scripting activities to limit LotL techniques
Restricting privilege escalation and lateral movement by blocking unauthorized command-line tools
Enhancing endpoint protection to detect and prevent BYOVD exploitation
As ransomware threats evolve, organizations must harden defenses against increasingly sophisticated cyberattacks.
