On March 12, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), issued a joint cybersecurity advisory on the growing threat of Medusa ransomware. First detected in June 2021, Medusa operates under a ransomware-as-a-service (RaaS) model, allowing affiliates to deploy the ransomware while developers maintain control over critical operations such as ransom negotiations. As of February 2025, Medusa has impacted over 300 victims, including industries such as medical, education, legal, insurance, technology, and manufacturing.
How Medusa Ransomware Operates
- Initial Access: Medusa actors typically gain initial access by recruiting initial access brokers (IABs) through cybercriminal forums and marketplaces. These affiliates utilize common techniques such as phishing campaigns to steal victim credentials and exploiting unpatched software vulnerabilities, including CVE-2024-1709 (ScreenConnect vulnerability) and CVE-2023-48788 (Fortinet EMS SQL injection vulnerability).
- Discovery: Upon establishing a foothold, Medusa actors employ living off the land (LOTL) techniques and legitimate tools like Advanced IP Scanner and SoftPerfect Network Scanner for initial user, system, and network enumeration. They commonly scan ports and use PowerShell and the Windows Command Prompt for network and filesystem enumeration, and Windows Management Instrumentation (WMI) for querying system information.
- Defense Evasion: To avoid detection, Medusa actors utilize LOTL techniques. They use tools like certutil.exe for file ingress and employ various PowerShell detection evasion techniques. They also attempt to cover their tracks by deleting PowerShell command line history. In some instances, they have used vulnerable or signed drivers to disable or delete endpoint detection and response (EDR) tools.
- Command and Control: Medusa actors use tools such as Ligolo, a reverse tunneling tool, and Cloudflared (formerly known as ArgoTunnel) to create secure connections between compromised hosts and actor-controlled machines, facilitating command and control while evading detection.
Mitigation Strategies
To mitigate risks and prevent Medusa ransomware infections, organizations may consider employing the following recommendations:
- Apply Security Patches & Update Systems
- Regularly update operating systems, software, and firmware to address known vulnerabilities.
- Prioritize patching for critical vulnerabilities, such as those exploited by Medusa actors.
- Implement Robust Access Controls
- Enforce Multi-Factor Authentication (MFA) on all accounts, especially those with administrative privileges.
- Adopt the principle of least privilege, ensuring users have only the access necessary for their roles.
- Segment Network Traffic
- Divide networks into segments to limit lateral movement opportunities for attackers.
- Implement strict access controls between network segments containing sensitive data.
- Strengthen Endpoint Security
- Deploy Endpoint Detection and Response (EDR) solutions to monitor and respond to suspicious activities.
- Utilize application allowlisting to prevent unauthorized applications from executing.
- Enhance Email & Phishing Protections
- Implement email filtering solutions to detect and block phishing attempts.
- Conduct regular training sessions to educate employees on recognizing phishing and social engineering attacks.
- Develop a Comprehensive Backup Strategy
- Maintain regular, offline backups of critical data to ensure recovery in the event of an attack.
- Regularly test backup restoration processes to verify data integrity and minimize downtime during recovery.
Conclusion
Medusa ransomware represents a significant threat to organizations across various sectors. By understanding its tactics and implementing the recommended mitigation strategies, organizations can enhance their cybersecurity posture and reduce the risk of falling victim to such ransomware attacks. The CISA advisory provides a list of IOCs Medusa actors have used for their operations and a list of threat actor tactics and techniques.