{
	"id": "9a882918-f705-484e-b63c-1958456d5b58",
	"created_at": "2026-04-06T00:11:24.222077Z",
	"updated_at": "2026-04-10T03:20:22.383155Z",
	"deleted_at": null,
	"sha1_hash": "3748206711f44ce299129a6350830d52494afc67",
	"title": "Medusa Ransomware Turning Your Files into Stone",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 5298628,
	"plain_text": "Medusa Ransomware Turning Your Files into Stone\r\nBy Anthony Galiette, Doel Santos\r\nPublished: 2024-01-11 · Archived: 2026-04-05 20:17:23 UTC\r\nExecutive Summary\r\nUnit 42 Threat Intelligence analysts have noticed an escalation in Medusa ransomware activities and a shift in\r\ntactics toward extortion, characterized by the introduction in early 2023 of their dedicated leak site called the\r\nMedusa Blog. Medusa threat actors use this site to disclose sensitive data from victims unwilling to comply with\r\ntheir ransom demands.\r\nAs part of their multi-extortion strategy, this group will provide victims with multiple options when their data is\r\nposted on their leak site, such as time extension, data deletion or download of all the data. All of these options\r\nhave a price tag depending on the organization impacted by this group.\r\nBesides their strategy of using an onion site for extortion, Medusa threat actors also leverage a public Telegram\r\nchannel named “information support,” where files of compromised organizations have been shared publicly and\r\nare more accessible than traditional onion sites.\r\nThe Unit 42 Incident Response team has also responded to a Medusa ransomware incident, which has allowed us\r\nto uncover interesting tactics, tools and procedures used by Medusa threat actors.\r\nPalo Alto Networks customers are better protected against ransomware used by the Medusa ransomware group\r\nthrough Cortex XDR, as well as from the WildFire Cloud-Delivered Security Services for the Next-Generation\r\nFirewall. In particular, the Cortex XDR agent included out-of-the-box protections that prevented adverse behavior\r\nfrom Medusa ransomware samples we tested without the need for specific detection logic or signatures. Prisma\r\nCloud Defender Agents can monitor Windows virtual machine instances for known Medusa malware. Cortex\r\nXpanse can be used to detect vulnerable services exposed directly to the internet that may be exploitable and\r\ninfected with Medusa or other ransomware.\r\nThe Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive\r\nassessment to lower your risk.\r\nMedusa Ransomware as a Service Overview\r\nMedusa surfaced as a ransomware-as-a-service (RaaS) platform in late 2022 and gained notoriety in early 2023,\r\nprimarily targeting Windows environments. Medusa should not be confused with a similarly named RaaS,\r\nMedusaLocker, which has been available since 2019. Our analysis focuses solely on the Medusa ransomware,\r\npublicly known since 2023, which is impacting organizations' Windows environments.\r\nThe Medusa ransomware group predominantly propagates its ransomware through the exploitation of vulnerable\r\nservices (e.g., public-facing assets or applications with known unpatched vulnerabilities) and hijacking of\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 1 of 27\n\nlegitimate accounts, often utilizing initial access brokers for infiltration. We will delve into the initial access\r\nstrategies and more complex techniques they employ later in this article. We also observed that Medusa\r\nransomware implements living-off-the-land techniques by using legitimate software for malicious purposes, which\r\ncan often blend in with regular traffic and behavior, making it harder to flag such activities.\r\nWe have noticed a marked escalation in its activities, characterized by the introduction of the new Medusa Blog\r\naccessible through TOR on an .onion site released in early 2023. A screenshot of the Medusa Blog is shown below\r\nin Figure 1. This platform is used by the perpetrators to disclose sensitive data of victims unwilling to accede to\r\ntheir ransom demands.\r\nFigure 1. Medusa Blog dedicated leak site.\r\nAs a multi-extortion operation, the Medusa ransomware operator’s announcements include the following points of\r\ninformation to pressure victims into paying the ransom:\r\nPrice tag: The amount displayed is what the affected organizations need to pay the group for them to delete\r\nthe data from the site. (Unit 42 has observed Medusa being willing to negotiate with victims, like many\r\nransomware groups. Any payments actually made may not directly match the pricing shown on the site.)\r\nCountdown: The amount of time the impacted organizations have before the stolen data is released publicly\r\nand available to download.\r\nNumber of visitors: The number of post visitors, used in the negotiation strategy to pressure victims into\r\npaying.\r\nVictim name and description: Identifiable information for the compromised organization.\r\nThe group's posts also typically revealed evidence of compromise. They also offered various “choices” – arbitrary\r\nand at the whim of Medusa – to the affected organization aside from paying the primary ransom, as shown in\r\nFigure 2. These choices include the following:\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 2 of 27\n\nA standard fee of $10,000 for a time extension to prevent data from being published on the site\r\nA request for data deletion\r\nA download option\r\nThe price for these second two services can differ from one organization to another.\r\nFigure 2. Post on the Medusa Blog to a victim.\r\nA recent post on the Medusa Blog shared a video that showed files of a compromised organization. This video\r\nfeatures a title caption of “Medusa Media Team,” which we suspect is the branch of this group that handles their\r\npublic brand (shown in Figure 3). We haven’t seen videos of victims’ files with each post on their site, so we are\r\nstill unclear if this is going to be a trend. However, ransomware groups like Medusa aim to build a brand and\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 3 of 27\n\nreputation, and creating such videos helps to reinforce their image as a formidable threat and enhance their\r\ncredibility.\r\nFigure 3. Screenshot of Medusa Media Team video.\r\nThis group does not just host a specialized leak site and videos for extortion purposes. They have also integrated\r\nlinks to Telegram and X (previously known as Twitter) on the Medusa Blog site. The Telegram channel used by\r\nMedusa is titled \"information support,\" and it is used to publicize and release data exfiltrated by the group. On the\r\nother hand, the link to X simply leads to a search result page for \"Medusa ransomware.\"\r\nThe Telegram channel was created in July 2021, and it contains some content from before the emergence of this\r\ngroup that relies on known public breaches. Unexpectedly, the channel is not Medusa ransomware-branded. Still,\r\nwe observed posts in this channel leaking content related to Medusa's compromises and even claims of meeting\r\nwith representatives of this threat group. An example of this communication is shown below in Figure 4.\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 4 of 27\n\nFigure 4. Information support admin message.\r\nOn Feb. 20, 2023, the Telegram channel announced the release of the official Medusa leak site (or as the admin\r\nsays, “a new blog of a hacker jellyfish group”). This announcement came with an image featuring the same\r\nbranding as the official Medusa leak site, shown in Figure 5.\r\nFigure 5. Information support admin message announcing Medusa Blog site.\r\nIt’s unclear at the time of writing this article if the owner of this channel is part of the ransomware operation per\r\nse. We do know that the platform is being leveraged to announce compromises and release exfiltrated information.\r\nMedusa's Prey: Understanding Victimology\r\nFor our analysis, we have been focusing on Medusa ransomware samples observed in 2023.\r\nBased on their leak site, Medusa ransomware possibly impacted 74 organizations worldwide in 2023. The sectors\r\nmost affected include high technology, education and manufacturing. However, the diverse range of impacted\r\nsectors highlights this group’s opportunistic nature, which is characteristic of many ransomware operations.\r\nMedusa ransomware does not restrict itself to a single industry. Figure 6 highlights the far-ranging impact of their\r\nattacks.\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 5 of 27\n\nFigure 6. Industries impacted by Medusa ransomware, based on the leak site.\r\nMedusa ransomware attacks exhibit a substantial international footprint. However, the group’s effects are most\r\npronounced in the United States, where 24 incidents occurred as of the time of writing. A substantial number of\r\ntargeted organizations were based in Europe. The presence of isolated incidents across Africa, South America and\r\nAsia underscore the indiscriminate approach of this ransomware group. Attacks span a global scale even in\r\nregions with fewer reported cases. Figure 7 underlines this point.\r\nFigure 7. Countries where impacted organizations were located, based on the leak site.\r\nMedusa's Toolkit: Unraveling the Mythical Trade\r\nThis section uncovers some of the tools and techniques used by Medusa ransomware actors that we discovered\r\nduring an incident response event. The pre-ransomware techniques provide interesting clues to common themes\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 6 of 27\n\nacross ransomware groups as well as more unique developments in tradecraft by the Medusa ransomware\r\noperators.\r\nInitial Access\r\nUnit 42 researchers observed Medusa ransomware operators uploading a webshell to an exploited Microsoft\r\nExchange Server. This webshell functionality overlaps with the ASPX files previously reported for login.aspx and\r\ncmd.aspx. An example of cmd.aspx is shown below in Figure 8.\r\nFigure 8. Example of the Cmd.aspx webshell.\r\nFollowing the webshell activity, threat actors used PowerShell to execute a bitsadmin transfer from a file hosting\r\nsite called filemail[.]com. The file downloaded from this site was ZIP compressed and titled baby.zip. Upon\r\ndecompressing and executing, it installed remote monitoring and management (RMM) software ConnectWise.\r\nDefense Evasion\r\nUnit 42 researchers observed Medusa ransomware operators dropping two kernel drivers for targeting different\r\nsets of security products. Each kernel driver was guarded using a software protector called Safengine Shielden.\r\nThe Safengine Shielden protector used on the drivers obfuscates the code flow by randomizing the code through\r\nvarious code mutations and then leverages an embedded virtual machine interpreter to execute the code.\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 7 of 27\n\nUnit 42 observed each driver paired with its own loader. Each loader was packed using a packer called ASM\r\nGuard.\r\nThe packed loaders use a fake UPX header and subsequent address next to the fake UPX bytes, as shown in\r\nFigure 9. In the resource section, there are numerous references to ASM Guard as well as fake WINAPI imports\r\namong other various junk paddings, as shown in Figure 10.\r\nFigure 9. Header of the driver loader is packed with ASM Guard.\r\nFigure 10. The resource section of the driver loader is packed with ASM Guard.\r\nFigure 11 shows what the driver entry point looks like after it has been protected with Safengine Shielden.\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 8 of 27\n\nFigure 11. Static view of driver protected with Safengine Shielden.\r\nThe primary objective of both drivers is to contain a list of security endpoint products to target for termination or\r\ndeletion. The hard-coded list of security product string names shown in Figure 12 is used in a comparison\r\noperation against actively running processes on a system.\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 9 of 27\n\nFigure 12. First driver targeting list of security processes for termination.\r\nIf the system has a process name that matches the hard-coded security tool process name, then an undocumented\r\nIOCTL code is used (0x222094) for termination of the process as shown in Figure 13. The primary difference\r\nbetween the two drivers is the use of file paths and the IOCTL (0x222184), which will delete the file based on the\r\nfile path provided.\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 10 of 27\n\nFigure 13. Second driver targeting file paths and list of processes.\r\nDiscovery and Reconnaissance\r\nUnit 42 researchers observed Medusa ransomware actors using the portable version of Netscan – with a novel\r\ntwist. An associated netscan.xml file was paired with software that bolstered the overall functionality out of the\r\nbox. This included various types of remote service discovery and preconfigured mappings for actions such as\r\nPsExec as well as the deployment of the ransomware binary.\r\nMany options are available from the custom configuration related to the following:\r\nWMI\r\nRegistry\r\nServices\r\nFiles\r\nSNMP\r\nAccount groups\r\nXML\r\nSSH\r\nPowerShell\r\nThe remote scripting features extend the tool’s capabilities with VBScript and JScript.\r\nThe remote scripts that are included use Cyrillic script (shown in Figure 14).They are translated into English\r\n(shown in Figure 15). This provides a clue to the preferred language of the creator and users of the configuration,\r\nand possibly of the background of the Medusa ransomware group using these features.\r\nFigure 14. Remote scripting feature in original Cyrillic.\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 11 of 27\n\nFigure 15. Remote scripting feature translated to English.\r\nFigure 16 shows an example of the codebase for the list of files script and the contents related to what the files\r\nenumerated under the Windows directory return.\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 12 of 27\n\nFigure 16. Example for list of script files.\r\nFigure 17 shows the codebase for the login time script related to specific login types found and the fields it\r\nreturns.\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 13 of 27\n\nFigure 17. Example for login time script.\r\nUpon finishing a network scan, the operator of the tool can then right-click on a device listed in the results and\r\nwill have many custom point-and-click options available on a remote system as shown below in Figure 18. The\r\noptions in the menu shown in Figure 18 that end with Gaze show a naming convention used by Medusa\r\nransomware related to the ransomware binary, and give insight into a technique for deploying Medusa\r\nransomware.\r\nCopy_Gaze (Ctrl+G)\r\nDeploy Gaze (Ctrl+T)\r\nCopy_Run_Gaze (Ctrl+W)\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 14 of 27\n\nFigure 18. Medusa ransomware configuration.\r\nIn-Depth Look Into Medusa's Gaze\r\nUnit 42 observed a common theme in Medusa’s ransomware binary that aligns with the mythology of Medusa\r\nherself: the use and inclusion of the term gaze in the debug path in PEStudio, as shown in Figure 19. This theme\r\ncontinued with the name of the binary and the naming scheme used in the netscan.xml configuration file\r\n(mentioned previously). We will refer to the ransomware binary as Gaze in the next section.\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 15 of 27\n\nFigure 19. PDB string in Gaze binary.\r\nThe Windows variant of Medusa ransomware can be run with 11 possible arguments, as shown below in Table 1.\r\nArgument Purpose\r\nV Check the version of the ransomware binary\r\nn Use network drive (uses a byte flag)\r\ns Exclude system drive (uses a byte flag)\r\nd Do not delete itself\r\nf Exclude system folder\r\np Do not use preprocess (uses a byte flag)\r\nk Load RSA public key from file\r\nt Load ransom note from file\r\nw PowerShell -execution policy bypass -File %s\r\nv Show console window\r\ni Encrypt a specific folder\r\nTable 1. Medusa ransomware parameters.\r\nWhen running a Windows executable sample from November 2023 with the -V argument, the sample identifies as\r\nversion 1.20 as shown below in Figure 20. This versioning system shows that the ransomware has some sort of\r\ndevelopment cycle, as one of the earliest public sightings of the ransomware binary was uploaded in February\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 16 of 27\n\n2023 and is version 1.10. It is observed within SHA-256\r\n736de79e0a2d08156bae608b2a3e63336829d59d38d61907642149a566ebd270.\r\nFigure 20. Ransomware sample version.\r\nThe Medusa ransomware binary employs string encryption for the following functions:\r\nTargeted services\r\nTargeted processes\r\nFile extension allowlist\r\nFolder path allowlist\r\nFigure 21 shows one code block example of the many string decryption code blocks within the binary, all of which\r\nhave a similar control flow. Each string decryption code block has two functions. The first function moves the\r\nencrypted string into memory shown as u42_push_string_medusa in Figure 21. The second function is named\r\nu42_string_decrypt_7characters and uses an XOR encryption method with the key of 0x2E (also Figure 21).\r\nFigure 21. String decryption function in the Gaze.exe ransomware sample.\r\nIn Figure 22, the hex representation for the string is moved and allocated on the functions stack frame, and then\r\nthe hex string is moved into a section of memory and retrieved with a dereferenced pointer.\r\nFigure 22. Decompiled view of moving encrypted hex string 0x2E6F7D7B6A6B6300.\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 17 of 27\n\nWhen the function u42_push_string_medusa is done and returns a pointer to the string, it will initially be located\r\nin EAX as shown in Figure 21. EAX will be moved into ESI and then the contents of ESI will be moved into\r\nECX. The register ECX is the parameter passed to the function u42_string_decrypt_7character, which contains the\r\nencrypted string pointer.\r\nThe pointer to the string contents is used as an array to access each character in the string. XOR decrypts it with\r\nthe key of 0x2E as shown in Figure 23.\r\nFigure 23. Decompiled view of string decryption function used on 0x2E6F7D7B6A6B6300.\r\nValidation of the string decryption method can be seen as shown in Figure 24 with a CyberChef recipe.\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 18 of 27\n\nFigure 24. Verification of string decryption using CyberChef.\r\nMedusa ransomware uses RSA asymmetric encryption for protecting the AES256 key used for encrypting a\r\nvictim’s files. The AES256 key is set up using a 32-byte key and a 16-byte initialization vector. The encrypted\r\nfiles are renamed with the extension .medusa.\r\nDuring file enumeration and encryption, the sample avoids files with the following extensions:\r\n.dll\r\n.exe\r\n.lnk\r\n.medusa\r\nThe list of folder paths to skip is as follows:\r\n\\Windows\\\r\n\\Windows.old\\\r\n\\PerfLogs\\\r\n\\MSOCache\\\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 19 of 27\n\nG_skp_dir\r\nProgram Files\r\nProgram Files (x86)\r\nProgramData.\r\nThe ransom note is dropped as !!read_me_medusa!!.txt and its contents are shown in Figure 25.\r\nFigure 25. Medusa ransomware ransom note.\r\nThe ransomware will perform various vssadmin-related operations, and it deletes itself with the following\r\ncommands to impact recovery and forensic efforts:\r\nvssadmin Delete Shadows /all /quiet\r\nvssadmin resize shadowstorage /for=C: /on=C: /maxsize=401MB\r\nvssadmin resize shadowstorage /for=C: /on=C: /maxsize=unbounded\r\ncmd /c ping localhost -n 3 \u003e nul \u0026 del\r\nConclusion\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 20 of 27\n\nThe emergence of the Medusa ransomware in late 2022 and its notoriety in 2023 marks a significant development\r\nin the ransomware landscape. This operation showcases complex propagation methods, leveraging both system\r\nvulnerabilities and initial access brokers, while adeptly avoiding detection through living-off-the-land techniques.\r\nThe Medusa Blog signifies a tactical evolution toward multi-extortion, with the group employing transparent\r\npressure tactics on victims through ransom demands publicized online. With 74 organizations across a spectrum of\r\nindustries affected to date, Medusa's indiscriminate targeting emphasizes the universal threat posed by such\r\nransomware actors.\r\nTechnical analysis by Unit 42 researchers reveals the nuanced exploitation strategies employed by the Medusa\r\nransomware group, from webshell placement on compromised servers to the deployment of encrypted kernel\r\ndrivers. This culminates in a novel application of netscan tools and Medusa’s gaze leading to file encryption using\r\nthe ominous .medusa file extension. As such, Medusa ransomware stands as a significant threat to organizations,\r\ndemanding a more proactive and strong defensive strategy.\r\nProtections and Mitigations\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following\r\nproducts:\r\nAdvanced WildFire: The Advanced WildFire machine-learning models and analysis techniques have been\r\nreviewed and updated in light of the IoCs shared in this research.\r\nCortex XDR: All known Medusa ransomware samples are prevented by the XDR agent out of the box\r\nusing the following modules:\r\nAnti-ransomware module to prevent Medusa encryption behaviors on Windows\r\nLocal Analysis prevention for Medusa binaries on Windows\r\nBehavioral Threat Protection (BTP) rule helps prevent ransomware activity on Windows as well as\r\nLinux\r\nAdditional protection can be added using indicators for Medusa\r\nNext-Generation Firewalls (NGFW):\r\nDNS signatures detect the known command and control (C2) domains, which are also categorized\r\nas malware in URL Filtering.\r\nNext-Generation Firewall with the Advanced Threat Prevention security subscription can help block\r\nthe Webshell file traffic with best practices via the following Threat Prevention signatures: 80744,\r\n86828.\r\nPrisma Cloud:\r\nWhile there is currently no known cloud infrastructure being affected by Medusa ransomware, any\r\ncloud infrastructure running windows virtual machines should monitor their Windows-based VMs\r\nusing Cortex XDR Cloud Agents or Prisma Cloud Defender Agents. Both agents will monitor the\r\nWindows VM instances for known Medusa malware, using signatures pulled from Palo Alto\r\nNetworks WildFire.\r\nCortex Xpanse:\r\nCortex Xpanse can be used to detect vulnerable services exposed directly to the internet that may be\r\nexploitable and infected with Medusa ransomware.\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 21 of 27\n\nIf you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nHashes\r\n4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6 Medusa Ransomware\r\n657c0cce98d6e73e53b4001eeea51ed91fdcf3d47a18712b6ba9c66d59677980 Medusa Ransomware\r\n7d68da8aa78929bb467682ddb080e750ed07cd21b1ee7a9f38cf2810eeb9cb95 Medusa Ransomware\r\n9144a60ac86d4c91f7553768d9bef848acd3bd9fe3e599b7ea2024a8a3115669 Medusa Ransomware\r\n736de79e0a2d08156bae608b2a3e63336829d59d38d61907642149a566ebd270 Medusa Ransomware\r\nInfrastructure\r\nMedusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd[.]onion\r\nmedusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd[.]onion\r\nAppendix\r\nServices stopped by Medusa ransomware\r\nnet stop \"Acronis VSS Provider\"\r\nnet stop \"Sophos Agent\"\r\nnet stop \"Sophos Clean Service\"\r\nnet stop \"Sophos Health Service\"\r\nnet stop \"Sophos MCS Agent\"\r\nnet stop \"Sophos MCS Client\"\r\nnet stop \"Sophos Message Router\"\r\nnet stop \"AcronisAgent\"\r\nnet stop \"AcrSch2Svc\"\r\nnet stop \"Antivirus\"\r\nnet stop \"ARSM\"\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 22 of 27\n\nnet stop \"BackupExecJobEngine\"\r\nnet stop \"BackupExecRPCService\"\r\nnet stop \"BackupExecVSSProvider\"\r\nnet stop \"bedbg\"\r\nnet stop \"DCAgent\"\r\nnet stop \"EPSecurityService\"\r\nnet stop \"EPUpdateService\"\r\nnet stop \"EraserSvc11710\"\r\nnet stop \"EsgShKernel\"\r\nnet stop \"FA_Scheduler\"\r\nnet stop \"IISAdmin\"\r\nnet stop \"IMAP4Svc\"\r\nnet stop \"macmnsvc\"\r\nnet stop \"masvc\"\r\nnet stop \"MBAMService\"\r\nnet stop \"MBEndpointAgent\"\r\nnet stop \"McAfeeEngineService\"\r\nnet stop \"McAfeeFramework\"\r\nnet stop \"McShield\"\r\nnet stop \"McTaskManager\"\r\nnet stop \"mfemms\"\r\nnet stop \"mfevtp\"\r\nnet stop \"MMS\"\r\nnet stop \"mozyprobackup\"\r\nnet stop \"MsDtsServer\"\r\nnet stop \"MsDtsServer100\"\r\nnet stop \"MsDtsServer110\"\r\nnet stop \"MSExchangeES\"\r\nnet stop \"MSExchangeIS\"\r\nnet stop \"MSExchangeMGMT\"\r\nnet stop \"MSExchangeMTA\"\r\nnet stop \"MSExchangeSA\"\r\nnet stop \"MSExchangeSRS\"\r\nnet stop \"MSOLAP$SQL_2008\"\r\nnet stop \"MSOLAP$SYSTEM_BGC\"\r\nnet stop \"MSOLAP$TPS\"\r\nnet stop \"MSOLAP$TPSAMA\"\r\nnet stop \"MSSQL$BKUPEXEC\"\r\nnet stop \"MSSQL$ECWDB2\"\r\nnet stop \"MSSQL$PRACTICEMGT\"\r\nnet stop \"MSSQL$PRACTTICEBGC\"\r\nnet stop \"MSSQL$PROFXENGAGEMENT\"\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 23 of 27\n\nnet stop \"MSSQL$SBSMONITORING\"\r\nnet stop \"MSSQL$SHAREPOINT\"\r\nnet stop \"MSSQL$SQL_2008\"\r\nnet stop \"MSSQL$SYSTEM_BGC\"\r\nnet stop \"MSSQL$TPS\"\r\nnet stop \"MSSQL$TPSAMA\"\r\nnet stop \"MSSQL$VEEAMSQL2008R2\"\r\nnet stop \"MSSQL$VEEAMSQL2012\"\r\nnet stop \"MSSQLFDLauncher\"\r\nnet stop \"MSSQLFDLauncher$TPS\"\r\nnet stop \"MSSQLSERVER\"\r\nnet stop \"MySQL80\"\r\nnet stop \"MySQL57\"\r\nnet stop \"ntrtscan\"\r\nnet stop \"OracleClientCache80\"\r\nnet stop \"PDVFSService\"\r\nnet stop \"POP3Svc\"\r\nnet stop \"ReportServer\"\r\nnet stop \"ReportServer$SQL_2008\"\r\nnet stop \"ReportServer$TPS\"\r\nnet stop \"ReportServer$TPSAMA\"\r\nnet stop \"RESvc\"\r\nnet stop \"sacsvr\"\r\nnet stop \"SamSs\"\r\nnet stop \"SAVAdminService\"\r\nnet stop \"SAVService\"\r\nnet stop \"SDRSVC\"\r\nnet stop \"SepMasterService\"\r\nnet stop \"ShMonitor\"\r\nnet stop \"Smcinst\"\r\nnet stop \"SmcService\"\r\nnet stop \"SMTPSvc\"\r\nnet stop \"SNAC\"\r\nnet stop \"SntpService\"\r\nnet stop \"sophossps\"\r\nnet stop \"SQLAgent$BKUPEXEC\"\r\nnet stop \"SQLAgent$ECWDB2\"\r\nnet stop \"SQLAgent$PRACTTICEBGC\"\r\nnet stop \"SQLAgent$PRACTTICEMGT\"\r\nnet stop \"SQLAgent$SHAREPOINT\"\r\nnet stop \"SQLAgent$SQL_2008\"\r\nnet stop \"SQLAgent$SYSTEM_BGC\"\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 24 of 27\n\nnet stop \"SQLAgent$TPS\"\r\nnet stop \"SQLAgent$TPSAMA\"\r\nnet stop \"SQLAgent$VEEAMSQL2012\"\r\nnet stop \"SQLBrowser\"\r\nnet stop \"SQLSafeOLRService\"\r\nnet stop \"SQLSERVERAGENT\"\r\nnet stop \"SQLTELEMETRY\"\r\nnet stop \"SQLTELEMETRY$ECWDB2\"\r\nnet stop \"SQLWriter\"\r\nnet stop \"SstpSvc\"\r\nnet stop \"svcGenericHost\"\r\nnet stop \"swi_filter\"\r\nnet stop \"swi_service\"\r\nnet stop \"swi_update_64\"\r\nnet stop \"TmCCSF\"\r\nnet stop \"tmlisten\"\r\nnet stop \"TrueKey\"\r\nnet stop \"TrueKeyScheduler\"\r\nnet stop \"TrueKeyServiceHelper\"\r\nnet stop \"UI0Detect\"\r\nnet stop \"VeeamBackupSvc\"\r\nnet stop \"VeeamBrokerSvc\"\r\nnet stop \"VeeamCatalogSvc\"\r\nnet stop \"VeeamCloudSvc\"\r\nnet stop \"VeeamDeploySvc\"\r\nnet stop \"VeeamMountSvc\"\r\nnet stop \"VeeamNFSSvc\"\r\nnet stop \"VeeamRESTSvc\"\r\nnet stop \"VeeamTransportSvc\"\r\nnet stop \"W3Svc\"\r\nnet stop \"wbengine\"\r\nnet stop \"WRSVC\"\r\nnet stop \"VeeamHvIntegrationSvc\"\r\nnet stop \"swi_update\"\r\nnet stop \"SQLAgent$CXDB\"\r\nnet stop \"SQL Backups\"\r\nnet stop \"MSSQL$PROD\"\r\nnet stop \"Zoolz 2 Service\"\r\nnet stop \"MSSQLServerADHelper\"\r\nnet stop \"SQLAgent$PROD\"\r\nnet stop \"msftesql$PROD\"\r\nnet stop \"NetMsmqActivator\"\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 25 of 27\n\nnet stop \"EhttpSrv\"\r\nnet stop \"ekrn\"\r\nnet stop \"ESHASRV\"\r\nnet stop \"MSSQL$SOPHOS\"\r\nnet stop \"SQLAgent$SOPHOS\"\r\nnet stop \"AVP\"\r\nnet stop \"klnagent\"\r\nnet stop \"MSSQL$SQLEXPRESS\"\r\nnet stop \"SQLAgent$SQLEXPRESS\"\r\nnet stop \"kavfsslp\"\r\nnet stop \"KAVFSGT\"\r\nnet stop \"KAVFS\"\r\nnet stop \"mfefire\"\r\nProcesses:\r\ntaskkill /F /IM zoolz.exe /T\r\ntaskkill /F /IM agntsvc.exe /T\r\ntaskkill /F /IM dbeng50.exe /T\r\ntaskkill /F /IM dbsnmp.exe /T\r\ntaskkill /F /IM encsvc.exe /T\r\ntaskkill /F /IM excel.exe /T\r\ntaskkill /F /IM firefoxconfig.exe /T\r\ntaskkill /F /IM infopath.exe /T\r\ntaskkill /F /IM isqlplussvc.exe /T\r\ntaskkill /F /IM msaccess.exe /T\r\ntaskkill /F /IM msftesql.exe /T\r\ntaskkill /F /IM mspub.exe /T\r\ntaskkill /F /IM mydesktopqos.exe /T\r\ntaskkill /F /IM mydesktopservice.exe /T\r\ntaskkill /F /IM mysqld.exe /T\r\ntaskkill /F /IM mysqld-nt.exe /T\r\ntaskkill /F /IM mysqld-opt.exe /T\r\ntaskkill /F /IM ocautoupds.exe /T\r\ntaskkill /F /IM ocomm.exe /T\r\ntaskkill /F /IM ocssd.exe /T\r\ntaskkill /F /IM onenote.exe /T\r\ntaskkill /F /IM oracle.exe /T\r\ntaskkill /F /IM outlook.exe /T\r\ntaskkill /F /IM powerpnt.exe /T\r\ntaskkill /F /IM sqbcoreservice.exe /T\r\ntaskkill /F /IM sqlagent.exe /T\r\ntaskkill /F /IM sqlbrowser.exe /T\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 26 of 27\n\ntaskkill /F /IM sqlservr.exe /T\r\ntaskkill /F /IM sqlwriter.exe /T\r\ntaskkill /F /IM steam.exe /T\r\ntaskkill /F /IM synctime.exe /T\r\ntaskkill /F /IM tbirdconfig.exe /T\r\ntaskkill /F /IM thebat.exe /T\r\ntaskkill /F /IM thebat64.exe /T\r\ntaskkill /F /IM thunderbird.exe /T\r\ntaskkill /F /IM visio.exe /T\r\ntaskkill /F /IM winword.exe /T\r\ntaskkill /F /IM wordpad.exe /T\r\ntaskkill /F /IM xfssvccon.exe /T\r\ntaskkill /F /IM tmlisten.exe /T\r\ntaskkill /F /IM PccNTMon.exe /T\r\ntaskkill /F /IM CNTAoSMgr.exe /T\r\ntaskkill /F /IM Ntrtscan.exe /T\r\ntaskkill /F /IM mbamtray.exe /T\r\nAdditional Resources\r\nMedusa ransomware gang picks up steam as it targets companies worldwide – Bleeping Computer\r\nToyota confirms breach after Medusa ransomware threatens to leak data – Bleeping Computer\r\nA Deep Dive Into Medusa Ransomware – Whitepaper, SecurityScorecard\r\nSource: https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nhttps://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/\r\nPage 27 of 27",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"MITRE"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/medusa-ransomware-escalation-new-leak-site/"
	],
	"report_names": [
		"medusa-ransomware-escalation-new-leak-site"
	],
	"threat_actors": [],
	"ts_created_at": 1775434284,
	"ts_updated_at": 1775791222,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3748206711f44ce299129a6350830d52494afc67.pdf",
		"text": "https://archive.orkl.eu/3748206711f44ce299129a6350830d52494afc67.txt",
		"img": "https://archive.orkl.eu/3748206711f44ce299129a6350830d52494afc67.jpg"
	}
}