{ "id": "e386ff17-891c-40e8-b9ea-dec53059a8d6", "created_at": "2026-04-06T00:12:16.098347Z", "updated_at": "2026-04-10T13:12:47.207725Z", "deleted_at": null, "sha1_hash": "3a0f3f73911642c942c2c2037a9bcbed34f46b29", "title": "Threat hunting case study: Medusa ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 853044, "plain_text": "Threat hunting case study: Medusa ransomware\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 13:03:21 UTC\r\nThe Medusa ransomware-as-a-service (RaaS) group appeared in 2021 and is one of the most active RaaS\r\nprograms. The group and its affiliates use the Medusa ransomware strain during attacks, encrypting infected files\r\nwith the .medusa extension and deploying a ransom note on the victim’s hosts. The group mostly targets small and\r\nmedium-sized entities with revenues ranging from US $5 million to US $50 million. The group practices double\r\nextortion, where sensitive data is first discreetly extracted from systems that have been compromised. If an\r\norganization doesn’t pay a ransom for the decryption key, Medusa threatens to release data on its data leak blog,\r\nwhich it launched in 2023.\r\nThe group has appeared to benefit from law enforcement actions against other top ransomware operations. Its\r\nattacks rose significantly in March 2024 at about the same time the ALPHV aka BlackCat RaaS terminated its\r\noperations following law enforcement disruption and the disruption of the LockBit RaaS. The increased law\r\nenforcement scrutiny likely forced many affiliates to shift to other RaaS programs, and Medusa’s lucrative offers\r\npossibly attracted them. Just prior to the rise in the number of new victims, Medusa announced an intake of new\r\naffiliates and offered higher shares of ransoms ranging from 70% to 90%, 24/7 support and the availability of\r\nseveral support “teams” within the group to aid in facilitating attacks. \r\nThe RaaS has attracted multiple experienced actors in the past and still cooperates with reputable, capable threat\r\nactors, making it a significant threat. According to an advisory from the U.S. Cybersecurity and Infrastructure\r\nSecurity Agency (CISA), Medusa has likely impacted more than 300 organizations as of February 2025. Since the\r\nbeginning of this year through May 11, 2025, Intel 471 has recorded 90 entities that have purportedly been\r\ninfected by Medusa or its affiliates, putting the group in the top 10 most active for 2025.\r\nThe program is led by a threat actor going by the monikers MDS and boss who assigns strict roles to each\r\nmember of the group. The group partners with initial access broker (IAB) affiliates who provide access to pools of\r\npotential victims. CISA says IAB affiliates can receive payments of US $100 to US $1 million to work exclusively\r\nfor Medusa. These IABs gain access to organizations by executing phishing campaigns aimed at collecting login\r\ncredentials and exploiting unpatched software vulnerabilities. The group mainly focuses on compromising\r\nWindows-based hosts but also uses strains to target VMware ESXi hypervisors and Linux-based hosts. Once\r\ninside a network, its tactics, techniques and procedures (TTPs) often rely on using living-off-the-land (LOTL)\r\ntechniques and native Windows tools including PowerShell and Windows Management Instrumentation (WMI).\r\nOne of Medusa’s documented TTPs involves bypassing user account control (UAC), which is a security feature\r\nthat’s aimed at preventing malware from running with administrator privileges on Windows machines. Windows\r\nusers typically sign in with a standard user account. If an action requires administrative or elevated privileges,\r\nUAC will prompt the user for consent. These privileges are also called integrity levels. For example, an\r\napplication with a high integrity level might be able to modify system data, while lower integrity ones would be\r\nforbidden. If a UAC prompt is approved, the action will run with the highest available privilege. Despite\r\nhttps://www.intel471.com/blog/threat-hunting-case-study-medusa-ransomware\r\nPage 1 of 5\n\naddressing a security concern, Microsoft doesn’t consider UAC a security boundary, and attackers have refined\r\nvarious ways for skirting it.\r\nOne of the methods Medusa uses to bypass UAC is via the Component Object Model (COM), an interoperability\r\nstandard created in the 1990s. COM objects are reusable mini-programs that other applications can call on to\r\nperform functions such as opening a file, communicating with the registry or managing settings. COM objects\r\nhave been targeted by malicious actors for a number of years, and research published by Mandiant in June 2019\r\ndescribes how COM objects can be used by attackers. MITRE’s ATT\u0026CK knowledge base covers abuse of COM\r\ninterfaces as a sub-technique under UAC bypass methods. \r\nIntel 471’s HUNTER platform contains a threat hunting package called “UAC Bypass Attempt Via Elevated COM\r\nAbuse” to hunt for potential COM object abuse. This content is designed to detect UAC bypass attempts abusing\r\ncommon COM interfaces within the registry key HKLM\\Software\\Microsoft\\Windows\r\nNT\\CurrentVersion\\UAC\\COMAutoApprovalList. These COM objects are designed to start at a higher integrity\r\nlevel and can be manipulated to open another process at the same higher level. This specific style of COM\r\nmanipulation is used not only by Medusa, but also other ransomware groups including BlackMatter, LockBit\r\n3.0, SubZero and Trigona. This threat hunt content is available for free upon registration of an account in\r\nHUNTER’s Community Portal here.\r\nLet’s walk through a hunt using this query. This query contact is compatible with the following endpoint,\r\ndetection and response (EDR) and logging aggregation platforms: CarbonBlack Cloud - Investigate, CarbonBlack\r\nResponse, CrowdStrike, CrowdStrike LogScale, Elastic, Google SecOps, Microsoft Defender, Microsoft Sentinel,\r\nPalo Alto Cortex XDR, QRadar Query, SentinelOne, Splunk, Tanium, Tanium Signal and Trend Micro Vision\r\nOne.\r\nWe’re looking for COM objects that have a higher integrity level and could be manipulated to open another\r\nprocess at the same higher level. The query focuses on looking for values assigned to those COM objects in the\r\ncommand-line arguments. What follows is a screenshot of the query logic:\r\nhttps://www.intel471.com/blog/threat-hunting-case-study-medusa-ransomware\r\nPage 2 of 5\n\nhttps://www.intel471.com/blog/threat-hunting-case-study-medusa-ransomware\r\nPage 3 of 5\n\nThe query logic looks for process paths containing *dllhost.exe and process IDs that are attached to globally\r\nunique identifiers (GUIDs). GUIDs are 128-bit identifiers used to identify a COM interface or software\r\ncomponents. \r\nFor this demonstration, we will use the query for CrowdStrike’s EDR using CrowdStrike’s query language. The\r\nfollowing screenshot shows part of the query. Visible is the event type that is being searched for, which is a\r\nProcessRollup or a SyntheticProcessRollup. Below that is the ImageFileName, which is dllhost.exe followed by\r\nthe various ProcessIDs, which contain the GUIDs we are looking for in the command-line argument field.\r\nThe query generates one result.\r\nThe result shows the affected machine, the username and how many times it has happened. As seen in the\r\nscreenshot below, it also shows the ParentProcessID and the ImageFileName or child process that was targeted.\r\nhttps://www.intel471.com/blog/threat-hunting-case-study-medusa-ransomware\r\nPage 4 of 5\n\nThis activity is not necessarily malicious but it is suspicious, especially if it cannot be traced to svchost.exe.\r\nPerhaps it is business as usual, but at this point, there is some suspicious behavior possibly related to using COM\r\nobjects to bypass UAC. From here, threat hunters could investigate other activities that occurred around this event\r\nsuch as if the intruders gained privilege escalation or if other processes were spawned. \r\nWe hope this tutorial on this UAC bypass technique has been helpful. A video version is available here. Be sure to\r\nregister for a HUNTER Community Edition account, which contains free sample hunt packages, including the one\r\ndescribed in this blog post. Intel 471’s HUNTER contains a package of threat hunts that addresses the Medusa\r\nransomware, including queries for behaviors such as:\r\nInstallation (and usage) of malicious tooling\r\nPrivilege escalation via user addition(s) to security groupings\r\nManipulation of remote desktop protocol (RDP)-related settings to force a system to be more susceptible \r\nA Community Edition account also will allow for insight into HUNTER’s comprehensive library of advanced\r\nthreat-hunting packages, detailed analyst notes and proactive recommendations. These resources are designed to\r\nstrengthen your threat-hunting capabilities and keep your organization secure. Happy hunting!\r\nSource: https://www.intel471.com/blog/threat-hunting-case-study-medusa-ransomware\r\nhttps://www.intel471.com/blog/threat-hunting-case-study-medusa-ransomware\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.intel471.com/blog/threat-hunting-case-study-medusa-ransomware" ], "report_names": [ "threat-hunting-case-study-medusa-ransomware" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434336, "ts_updated_at": 1775826767, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3a0f3f73911642c942c2c2037a9bcbed34f46b29.pdf", "text": "https://archive.orkl.eu/3a0f3f73911642c942c2c2037a9bcbed34f46b29.txt", "img": "https://archive.orkl.eu/3a0f3f73911642c942c2c2037a9bcbed34f46b29.jpg" } }