{
	"id": "75001891-e983-4ecd-8492-90c29180776c",
	"created_at": "2026-04-06T00:20:17.733874Z",
	"updated_at": "2026-04-10T03:20:49.810792Z",
	"deleted_at": null,
	"sha1_hash": "ef57a25cd6e71916ad1e659778510ef807bd34de",
	"title": "Medusa Ransomware: Evolving Tactics in Modern Cyber Extortion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 465909,
	"plain_text": "Medusa Ransomware: Evolving Tactics in Modern Cyber\r\nExtortion\r\nBy Loginsoft\r\nPublished: 2026-01-28 · Archived: 2026-04-05 21:49:54 UTC\r\nIntroduction  \r\nMedusa, a prominent ransomware-as-a-service (RaaS) platform, emerged in June 2021 and has rapidly gained\r\npopularity among cybercriminals.  In contrast to many ransomware groups that operate exclusively on the dark\r\nweb, Medusa has taken an unconventional approach by establishing a visible presence on the surface web. This\r\ndual-platform strategy allows the group to reach a wider audience and potentially attract more affiliates.  \r\nSince 2023, the Medusa ransomware group has steadily increased its number of victims. Bitdefender projects that\r\nin 2024, Medusa could target over 200 organizations, a significant jump from the 145 victims reported in 2023.\r\nMedusa should not be confused with MedusaLocker, a similar ransomware-as-a-service (RaaS) that has been\r\nactive since 2019.\r\nThis ransomware has demonstrated a global reach, targeting broad spectrum of industries such as healthcare,\r\neducation, manufacturing, and retail with a particular focus on organizations in the United States, Europe, and\r\nAfrica.\r\nRecent investigations have uncovered that Medusa has been leveraging CVE-2023-48788, a critical SQL injection\r\nvulnerability in Fortinet's FortiClient EMS software, to gain initial access to targeted systems.\r\nKey Takeaways  \r\nMedusa ransomware uses modern extortion tactics beyond basic file encryption. \r\nAttackers prioritize data theft and leverage pressure tactics to force payment. \r\nTargeted attacks increase operational and financial impact on victims. \r\nEvolving ransomware behavior demands proactive detection before encryption stages.\r\nhttps://www.loginsoft.com/post/medusa-ransomware-evolving-tactics-in-modern-cyber-extortion\r\nPage 1 of 7\n\nMedusa Ransomware\r\nTechnical Analysis  \r\nInitial access\r\nMedusa ransomware primarily gains access to networks through unsecured Remote Desktop Protocol (RDP) and\r\nphishing, while also exploiting vulnerable services and public-facing assets with known unpatched vulnerabilities.\r\n \r\nMedusa leverages the CVE-2023-48788 vulnerability in Fortinet's FortiClient EMS to gain initial access to target\r\nsystems.  By exploiting an SQL injection flaw, attackers can manipulate the FCTUID parameter in web requests,\r\nexecuting arbitrary commands on the affected server via xp_cmdshell.   This allows Medusa to establish a\r\nwebshell, facilitating further data exfiltration and ransomware deployment.  \r\nExecution\r\nMedusa utilizes PowerShell scripts to execute commands on host systems, facilitating data exfiltration and\r\nreferencing the executable and binary components required to deploy the ransomware and perform encryption.\r\n During the execution phase, the gaze.exe component is run to terminate various services using the net command\r\nand to load files that include TOR links for data exfiltration.\r\nPersistence\r\nTo maintain persistence, Medusa employs several strategies. The group uses compromised Remote Monitoring\r\nand Management (RMM) tools such as ConnectWise, PDQDeploy, and AnyDesk, which are often whitelisted and\r\nless likely to raise suspicion. They conduct discovery processes to identify applications within the victim's\r\nenvironment, allowing them to replace legitimate programs with their own compromised versions.  \r\nAdditionally, Medusa establishes persistence by executing PowerShell commands that modify registry key values,\r\nsuch as run in HKLM and HKCU, to ensure that their payloads execute on system startup.\r\nhttps://www.loginsoft.com/post/medusa-ransomware-evolving-tactics-in-modern-cyber-extortion\r\nPage 2 of 7\n\nPrivilege Escalation\r\nOnce inside a network, Medusa leverages tools like PsExec to escalate privileges and secure a deeper foothold\r\nwithin the compromised system.\r\nDefense Evasion\r\nMedusa employs a sophisticated anti-malware evasion technique involving the installation of a malicious RMM\r\nagent and the loading of vulnerable drivers. These drivers actively identify and terminate processes associated\r\nwith anti-malware solutions. By cross-referencing active processes with a predefined list, Medusa can disable over\r\ntwo hundred security-related processes. The group disables security tools using PowerShell scripts and adjusts\r\nregistry settings to evade detection. They also employ string encryption techniques to obfuscate their malicious\r\ncode.\r\nDiscovery\r\nMedusa conducts thorough network reconnaissance with tools such as Netscan to identify valuable targets and\r\nmap out the network topology.  \r\nLateral Movement\r\nMedusa often acquires credentials by exploiting the compromised server and extracting them from the LSASS\r\nprocess. To achieve lateral movement, the ransomware group utilizes tools like bitsadmin to transfer malicious\r\nfiles from their webshell to target hosts.  It also uses protocols such as RDP and SMB to move laterally within the\r\nnetwork.  \r\nEncryption\r\nMedusa ransomware employs asymmetric RSA encryption to encode targeted files and directories, which also\r\ncontain a copy of Medusa’s ransom note. Encrypted files typically have extensions such as .medusa or .mylock.\r\nExtensions associated with executable programs, dependencies, or shortcuts such as .exe, .dll, or .lnk are\r\ngenerally excluded from encryption to ensure that essential utilities remain operational.\r\nData Exfiltration\r\nData is exfiltrated to remote servers controlled by the attackers and used to pressurize victims into paying the\r\nransom.\r\nhttps://www.loginsoft.com/post/medusa-ransomware-evolving-tactics-in-modern-cyber-extortion\r\nPage 3 of 7\n\nImage representing ransomware note of Medusa\r\nImpact\r\nIn the final phase of the attack, Medusa leaves a ransom note on the desktop typically named\r\n\"!!read_me_medusa!!.txt,\" To prevent system recovery, the ransomware also deletes shadow copies and other\r\nbackups, making it difficult for victims to restore their data.  The group employs a combination of RSA and AES\r\nencryption to secure the ransom transactions.\r\nSignificant attacks carried out by Medusa ransomware\r\n1. Exploitation of Fortinet vulnerability\r\nRecent investigations revealed that Medusa ransomware has been actively exploiting CVE-2023-48788, a\r\ncritical SQL injection vulnerability in Fortinet’s FortiClient EMS software, as a primary attack vector. This\r\nvulnerability allows attackers to gain unauthorized access to vulnerable systems, serving as an entry point\r\nfor launching complex ransomware attacks. Medusa leverages this flaw to infiltrate networks, execute\r\nmalicious payloads, and encrypt critical data, significantly escalating the threat posed to organizations\r\nrelying on unpatched versions of FortiClient EMS.\r\nApart of this, Medusa ransomware was observed exploiting:\r\nCVE-2022-2294: Heap Buffer Overflow vulnerability in WebRTC\r\nCVE-2022-2295: Type Confusion vulnerability in Google Chrome V8\r\nCVE-2022-21999: Elevation of Privilege vulnerability in Windows\r\nCVE-2018-13379: Path Traversal vulnerability in Fortinet FortiOS\r\n2. Toyota Financial Services breach\r\nIn November 2023, TFS, a subsidiary of Toyota Motor Corporation, confirmed unauthorized access to its\r\nsystems in Europe and Africa, following a ransomware claim by Medusa. Security analysts pointed to a\r\nhttps://www.loginsoft.com/post/medusa-ransomware-evolving-tactics-in-modern-cyber-extortion\r\nPage 4 of 7\n\npotential vulnerability in TFS's German office, linked to an unpatched Citrix Gateway endpoint, suggesting\r\na possible exploitation. Medusa demanded an $8 million ransom, threatening to leak allegedly stolen data.\r\nThe ransom note provided Toyota with a 10-day deadline, with an option to extend it for $10,000 per day.\r\nTo validate their breach, the attackers released sample data, including financial documents, spreadsheets,\r\nhashed account passwords, and internal organization charts.\r\n3. Minneapolis Public School (MPS) District Attack\r\nIn February 2023, Medusa ransomware not only encrypted data but also exfiltrated approximately 100 GB\r\nof sensitive information from the Minneapolis Public School (MPS) District. This included highly\r\nconfidential details about students and staff, which the group later leaked online. Despite a $1 million\r\nransom demand, MPS refused to pay, claiming they had successfully restored their systems using backups.\r\nInstead of using a traditional dark web leak site, Medusa published the stolen data on a public website, and\r\nsocial media further amplified the exposure of this information.\r\n4. Philippine Health Insurance Corporation (PhilHealth)\r\nIn September 2023, Medusa exfiltrated nearly 750 GB of sensitive data from PhilHealth, a Philippine\r\ngovernment health insurance agency. The stolen data included information on millions of members. The\r\nransomware group demanded a $300,000 ransom and made the stolen data available on the dark web.\r\nPhilHealth revealed that it was unprotected by antivirus software at the time of the attack due to an expired\r\nlicense. The renewal process had been delayed due to government procurement procedures. Despite the\r\nbreach, PhilHealth was able to recover its systems and restore public-facing applications within a month.\r\nMITRE ATT\u0026CK TACTICS AND TECHNIQUES  \r\nTable representing technique and tactics employed by Medusa ransomware:\r\nID Technique Comments\r\nT1078 Valid accounts\r\nMedusa ransomware utilizes stolen credentials, typically acquired\r\nthrough vulnerabilities or credential dumping, to gain\r\nunauthorized access.\r\nT1190\r\nExploit Public-facing\r\napplication\r\nMedusa ransomware targets vulnerabilities in unpatched servers or\r\ngateways to gain initial access.\r\nT1566 Phishing\r\nMedusa ransomware often uses Phishing to deliver malicious\r\npayloads to its victims.\r\nT1047\r\nWindows management\r\ninstrumentation\r\nMedusa ransomware uses Windows Management Instrumentation\r\n(WMI) to execute malicious commands and payloads.\r\nT1059.001 PowerShell\r\nMedusa ransomware often uses PowerShell to execute malicious\r\ncommands on compromised systems.\r\nT1059.003\r\nWindows Command\r\nShell\r\nMedusa ransomware also uses the Windows Command Shell\r\n(cmd.exe) to run malicious scripts and commands on compromised\r\nsystems.\r\nhttps://www.loginsoft.com/post/medusa-ransomware-evolving-tactics-in-modern-cyber-extortion\r\nPage 5 of 7\n\nT1036.007 Double File extension\r\nMedusa ransomware disguises malicious files with deceptive file\r\nextensions.\r\nT1070.004 File deletion\r\nMedusa ransomware deletes or modifies those files that could\r\nleave evidence of its presence on a compromised system.\r\nT1083\r\nFile and directory\r\ndiscovery\r\nMedusa ransomware scans the victim's system for valuable files\r\nand directories, identifying key data to encrypt or exfiltrate.\r\nT1210\r\nExploitation of Remote\r\nServices\r\nMedusa ransomware spreads laterally within a network by\r\nexploiting vulnerabilities in remote services like RDP or web\r\napplications.\r\nT1489 Service Stop\r\nMedusa ransomware terminates critical services, such as security\r\ntools and backup processes, to disable defenses and hinder\r\nrecovery efforts.\r\nT1486\r\nData encrypted for\r\nimpact\r\nMedusa ransomware encrypts data on targets systems to disrupt\r\naccess to system and network resources.\r\nT1485 Data destruction\r\nMedusa ransomware deletes or corrupts the files to prevent victims\r\nfrom restoring their data without paying the ransom.\r\nT1490 Inhibit system recovery\r\nMedusa ransomware removes volume shadow copies from\r\nWindows systems.\r\nDefense mechanisms\r\n1. Implementing Multi-Factor Authentication\r\nUsing strong passwords and enabling multi-factor authentication (MFA) protects against Medusa\r\nransomware by minimizing the risk of unauthorized access via compromised or weak credentials. Strong\r\npasswords reduce the likelihood of successful brute-force attacks, while MFA adds an extra layer of\r\nsecurity, ensuring that even if credentials are stolen, attackers cannot easily access the system without the\r\nadditional authentication factor.\r\n2. Audit User Accounts\r\nEliminating inactive and unused user accounts, combined with auditing administrative privileges, mitigates\r\nMedusa ransomware risks by reducing the attack surface and potential entry points. This approach\r\nminimizes credential theft risks and ensures that only necessary access is granted, limiting opportunities for\r\nprivilege escalation.\r\n3. Use of updated software\r\nKeeping software updated is crucial to avoid vulnerabilities that ransomware like Medusa can exploit.\r\nRegular updates apply the latest security patches, protecting against evolving threats and reducing the risk\r\nof exploitation.\r\nhttps://www.loginsoft.com/post/medusa-ransomware-evolving-tactics-in-modern-cyber-extortion\r\nPage 6 of 7\n\n4. Scheduling regular backups\r\nScheduling regular backups helps to mitigate the risk of Medusa ransomware by ensuring that critical data\r\nis consistently saved and can be restored in case of an attack. Frequent backups minimize the impact of\r\ndata encryption, allowing recovery without paying ransom.\r\n5. Anti-Ransomware Solutions\r\nThe data encryption and exfiltration activities associated with ransomware attacks are distinctive and serve\r\nas clear indicators of such threats. Anti-ransomware solutions can leverage these behavioral patterns,\r\namong other factors, to detect, block, and remediate infections caused by Medusa ransomware.\r\nConclusion\r\nThe blog highlights that Medusa ransomware exemplifies the shift toward more aggressive and calculated cyber\r\nextortion techniques. By evolving its tactics to include data exfiltration and targeted pressure, Medusa increases\r\nthe likelihood of successful ransom demands. Defending against such threats requires early detection of attacker\r\nactivity, strong monitoring, and an understanding of how ransomware operations continue to evolve beyond\r\ntraditional models.\r\nFAQs\r\nQ1. What is Medusa ransomware?\r\nMedusa ransomware is a modern ransomware threat that employs advanced extortion techniques to pressure\r\nvictims into paying ransoms.\r\nQ2. How is Medusa different from traditional ransomware?\r\nIt goes beyond encryption by incorporating data theft and multi-stage extortion strategies.\r\nQ3. Why are evolving ransomware tactics dangerous?\r\nThey increase attack impact, reduce recovery options, and make detection more challenging.\r\nQ4. How can organizations detect Medusa ransomware early?\r\nMonitoring suspicious behaviors and attacker activity before encryption or data exfiltration occurs.\r\nQ5. What is the main defensive takeaway from this blog?\r\nUnderstanding ransomware evolution and detecting threats early are critical to minimizing damage from modern\r\ncyber extortion campaigns.\r\nSource: https://www.loginsoft.com/post/medusa-ransomware-evolving-tactics-in-modern-cyber-extortion\r\nhttps://www.loginsoft.com/post/medusa-ransomware-evolving-tactics-in-modern-cyber-extortion\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.loginsoft.com/post/medusa-ransomware-evolving-tactics-in-modern-cyber-extortion"
	],
	"report_names": [
		"medusa-ransomware-evolving-tactics-in-modern-cyber-extortion"
	],
	"threat_actors": [],
	"ts_created_at": 1775434817,
	"ts_updated_at": 1775791249,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ef57a25cd6e71916ad1e659778510ef807bd34de.pdf",
		"text": "https://archive.orkl.eu/ef57a25cd6e71916ad1e659778510ef807bd34de.txt",
		"img": "https://archive.orkl.eu/ef57a25cd6e71916ad1e659778510ef807bd34de.jpg"
	}
}