Medusa ransomware has emerged as one of the most serious threats in 2025. In just the first quarter of 2025, there have been more than 2,200 ransomware attacks, which is more than double last year’s statistics for the same timeframe. Medusa is rapidly growing, an ideal of organized crime. Despite global initiatives with the intent of disrupting ransomware groups, Medusa is growing by targeting the healthcare, education, manufacturing and technology sectors.

In this blog, we discuss what Medusa ransomware is and how it operates, who it targets and how to prevent your organization from being the next victim.

What is Medusa Ransomware and How Does it Work?

Medusa ransomware is a malware that encrypts your data and demands money in order to receive the decryption key. The attackers also stole the data and have threatened to publish it unless the ransom is paid. This type of attack is called double extortion.

Medusa’s group was first formed in 2021 and they initially conducted all attacks themselves. In 2022, the group moved to a ransomware-as-a-service (RaaS) model in which attackers or a group of affiliate hackers can take care of attacks while the core group takes care of ransom negotiation and collections. The group could originally conduct all attacks themselves, so there is now a large network of affiliates working on behalf of Medusa. They simply handle the negotiations and payments to affiliates; there is more separation between the actors. 

Medusa should not be mistaken for the other threats of a similar name. This is a separate ransomware strain and is not part of a larger family; it has created its own unique malware infrastructure.

Medusa Ransomware Gang Phishing Campaigns and Entry Methods

Phishing is the typical method of gaining initial access to a victim’s systems in this type of ransomware attack. Employees are issued emails that appear to be from trusted contacts or internal departments in which they work.

These emails often contain some malicious link or attachment and when your employee clicks it, it will install malware on their machine. The group will also purchase stolen login credentials obtained from initial access brokers, which allow them to log in directly to business systems to avoid detection.

While phishing and credential theft are cost-effective ways to gain entry into company networks, they are effective.

Medusa Hacking: CVEs and Exploited Vulnerabilities

Medusa also takes advantage of software vulnerabilities that have yet to be patched. In recent campaigns, the group has targeted frequently used tools and platforms by exploiting known security flaws identified in the remote access software and network security devices themselves.

Through utilizing these vulnerabilities, the attackers were able to traverse internal systems and elevate their access before deploying the ransomware attack.

Medusa Malware: Tools Used in an Attack

Medusa utilizes a combination of legitimate software and custom malware to stay under the radar. Some key strategies include:

• Living-off-the-land (LOTL): Using built-in system tools like PowerShell to decrease red flags.
• Bring Your Own Vulnerable Driver (BYOVD): the act of using known vulnerable drivers to disable anti-virus and EDR software.
• AVKill and POORTRY: Customizable malware tools made to disable security software

When Medusa encrypts files, they will typically have a MEDUSA file extension and they will drop ransom notes into files titled !!!READ_ME_MEDUSA!!!.txt.

Inside a Medusa Ransomware Attack: How It Unfolds

A common Medusa attack can be delineated in the following steps:


• Initial Access: Credential theft or phishing
• Internal Recon: Mapping internal network and assets to find viable targets
• Lateral Movement: Using other malicious software (possibly even remote access/administration software) to move around the network

• Exfiltration: Copying sensitive files to servers controlled by the attackers

• Encryption: Locking files on networks that typically don’t have suitable backups

• Ransom Note: The Victim receives a demand for payment 

• Public Pressure: If the ransom is not paid, the victim is publicly named on the entity’s website

Medusa increases the public pressure by posting stolen data on its public blogs on social media. Some victims have even reported being contacted directly by the scammers on their cell phones via voice or SMS or email, after they have chosen to ignore prior ransom notices.

Medusa’s Ransomware-as-a-Service Operation

Medusa’s core group operates like a corporation. They onboard affiliate hackers that provide access and exploit vulnerabilities. The affiliate hackers will complete the attacks and be paid depending on the amount of ransom that is obtained.

Payments vary from $100 to $1 million, depending on the target. The core group handles ransom communications and negotiates with the victims directly. 

In one incident, the victim paid the ransom and was later contacted by a different attacker who claimed that the initial attacker had stolen. It was a triple extortion risk scenario for the victim.

How to Detect Medusa Ransomware: IOCs and MITRE Mapping

Indicators of Compromise (IOCs):

• Files with the MEDUSA extension was renamed
• Ransom note files (!!!READ_ME_MEDUSA!!!.txt) appeared
• Unexpected use of remote access tools or PowerShell scripts.
• Observation of outbound connections to suspicious IPs and dark web domains.

Mapped Tactics (MITRE ATT&CK):

• Initial Access: Spear phishing, stolen credentials, CVE exploitation.
• Execution: PowerShell, remote software.
• Persistence: Registry modifications, persistence through scripts.
• Defense Evasion: BYOVD, disabled antivirus.
• Exfiltration: Encrypted transfer to attacker infrastructure.

Security teams should be identifying and monitoring these behaviors to capture an attack as early as possible.

How to Defend Against Medusa in 2025

Here are several methods to reduce their chances of success. You can take several steps to reduce your risk:

1. Patch vulnerabilities quickly (known exploited CVEs even faster!
2. Use MFA for all user accounts
3. Train employees to identify phishing attempts
4. Implement EDR tools
5. Back up important data frequently, off-site
6. Limit admin access using a least privileged approach
7. Segment networks to limit lateral movement
8. Monitor PowerShell and remote access tools
9. Block risky domains and outbound
10. Have a ransomware response plan

Employees and security teams need to work together because the majority of cyber attacks are initiated by a single mistake; in these cases, it only takes one click on a phishing email.

Compliance Risks and Legal Impact

A Medusa attack can lead to serious compliance violations. If personal or regulated data is exposed, organizations may face fines under:

• GDPR (EU data protection)
• HIPAA (healthcare records)
• SOX or NIS2 (finance and infrastructure regulations)

Laws require quick breach reporting. Failing to notify regulators or customers on time can add to the financial and legal damage.

Medusa Timeline: How the Threat Has Evolved

• 2021: Medusa appears as a closed operation
• 2022: Expands with affiliate partnerships
• 2023: Launches public leak blog and social channels
• 2024: Attack volume increases by 42%
• 2025: One of the world’s most active ransomware gangs

Conclusion 

In 2025, the Medusa ransomware emerged as one of the most impactful cybersecurity threats to date. It has masterfully cultivated a deadly hybrid of phishing, stolen credentials, malware, and public leak strategy that is both very effective and devastating.

One of the most harmful aspects of Medusa is its use of public pressure and continued extortion-type threats that jeopardize its victims’ data and reputations. There are two things to note here: first, this is a wake-up call for chief information security officers (CISOs) to step up their prevention activities; second, it is a strong reminder for employees to think twice before clicking, as just one negative click can lead to a large breach.

Preventing threats involves preparation: according to general downloads of CISO sites, patch your systems, educate your team, back up your data, and have a legitimate supporting response plan in place. The computational cost of recovering after Medusa gets in is going to be much more expensive.

 FAQs