{
	"id": "a89d8484-70cf-4392-a439-7e9116d86138",
	"created_at": "2026-04-06T00:15:31.284287Z",
	"updated_at": "2026-04-10T03:29:39.808033Z",
	"deleted_at": null,
	"sha1_hash": "fb0b4a047a282ce73fc7b08a184e509280ea220b",
	"title": "Medusa Ransomware Group: A Rising Threat in 2025",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 58031,
	"plain_text": "Medusa Ransomware Group: A Rising Threat in 2025\r\nBy Check Point Software\r\nPublished: 2025-06-08 · Archived: 2026-04-05 22:36:09 UTC\r\nThe 2025 Ransomware Surge: Context for Medusa’s Rise\r\nThe rise of the Medusa group is set against a historic ransomware surge in Q1 of 2025.\r\nData shows 2,289 reported incidents in the first three months of the year,\r\nMore than double the number from the same period last year (1,011)\r\nRepresenting a 126% year-over-year increase.\r\nThis surge comes despite high-profile law enforcement operations in 2024 disrupting major ransomware players\r\nLockBit and ALPHV. This fragmentation has allowed other ransomware variants and newly formed groups to fill\r\nthe void left in the RaaS marketplace.\r\nWhen it comes to Medusa ransomware vs cl0p, the latter remains the most active group in the RaaS marketplace.\r\nWhile it may not be the biggest player in the industry, Medusa’s activities have caught the attention of US law\r\nenforcement.\r\nIn March 2024, the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) posted an\r\nadvisory warning organizations about the threats posed by the Medusa ransomware group.\r\nThe advisory includes a description of the group’s:\r\nTactics\r\nTechniques\r\nProcedures\r\nRecommendations to minimize the risk\r\nWho Is the Medusa Ransomware Group?\r\nMedusa is a RaaS variant that has grown significantly, claiming hundreds of victims and becoming a top ten\r\nransomware actor since 2023. Originally a closed ransomware variant (all operations handled by the Medusa\r\nransomware group alone), it has since developed an affiliate model that allows others to launch attacks.\r\nBut the central Medusa ransomware group still handles ransom negotiations.\r\nThe specific location of the Medusa ransomware group is unknown, but evidence suggests it operates out of\r\nRussia or one of its allied states. This is due to the group avoiding targeting organizations within Russia and the\r\nCommonwealth of Independent States and activity on Russian-language dark web forums like RAMP.\r\nMedusa is not connected to MedusaLocker or the Medusa mobile malware variant.\r\nhttps://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/medusa-ransomware-group/\r\nPage 1 of 4\n\nEvidence shows the group operates independently and is not an offshoot of another cybercriminal group.\r\nThe software Medusa uses is unique, with no reports of code similarities to other RaaS variants.\r\nHowever, there is intelligence linking Medusa to “Frozen Spider,” an eCrime group active in broader cybercrime-as-a-service networks. Although details are unclear, Frozen Spider uses Medusa ransomware for big game\r\nhunting, targeting larger-scale organizations for higher ransoms.\r\nMedusa Targets\r\nThe Medusa ransomware group hits a variety of industries, often targeting critical infrastructure used in\r\nhealthcare, education, technology, manufacturing, legal, and government organizations.\r\nPrevious high-profile targets include the Minneapolis Public School District and Toyota Financial Services.\r\nThey often go after profitable small and medium-sized enterprises (SMEs) in industries that:\r\nUtilize sensitive data\r\nRequire significant digital infrastructure\r\nRely heavily on business continuity\r\nThis increases their chances of getting paid, as victims scramble to resume normal operations and protect their\r\ndata. Medusa victims have been reported in over 45 countries, including the United States, Canada, Australia,\r\nGermany, Italy, and the UK.\r\nMedusa ransomware UK statistics show the group has an outsized presence in the country.\r\nRansomware trends from 2025 Q1 found that Medusa accounts for 9% of all reported victims in the UK,\r\ncompared to just 2% of victims worldwide.\r\nMedusa’s Use of Public Channels and Data Leak Sites\r\nUnlike many other ransomware groups, Medusa is known for using public channels with a:\r\nPublic Telegram channel\r\nFacebook profile\r\nTwitter/X account\r\nOSINT (Open Source Intelligence) Without Borders Website\r\nThese properties are allegedly run by users under the pseudonyms “Robert Vroofdown” and “Robert Enaber.”\r\nUtilizing these public channels, the Medusa ransomware group aims to publicly pressure its victims into paying\r\nransoms while also building its reputation and presence in the RaaS marketplace by demonstrating its capabilities\r\nand accomplishments.\r\nThe Medusa ransomware group also launched its own data leak site in 2023 known as the Medusa Blog.\r\nThe group publishes sensitive information on the site when victims refuse to pay ransoms. This data leak site is on\r\nthe dark web alongside Medusa’s TOR links and forums.\r\nhttps://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/medusa-ransomware-group/\r\nPage 2 of 4\n\nMedusa’s Tactics, Techniques, and Procedures (TTPs)\r\nThe Medusa ransomware group’s primary goal appears to be financial returns.\r\nThey utilize a double extortion model where data is encrypted and exfiltrated to achieve this. This enables the\r\ngroup to start ransom negotiations with large demands as they not only disrupt operations but also threaten to\r\npublicly release the victim’s sensitive data.\r\nTo infiltrate corporate systems, Medusa typically pays Initial Access Brokers (IABs) to provide user credentials\r\nand other sensitive data that enables access. These brokers utilize credential stuffing, phishing, and other\r\ntechniques to gather their datasets before advertising them on cybercrime marketplaces.\r\nIABs accelerate Medusa’s ransomware attacks, allowing the group to focus on encrypting and exfiltrating datasets\r\nand negotiating ransoms rather than gaining initial access to networks. But, the Medusa ransomware group also\r\nconducts phishing campaigns and exploits public-facing vulnerabilities to gain access to networks themselves.\r\nCommon Medusa ransomware tactics during an attack include:\r\nUtilizing PowerShell and other tools to evade ransomware detection techniques and increase access.\r\nData transfer is also handled using PowerShell scripts.\r\nTor provides a secure channel to copy data.\r\nEncryption processes add a .MEDUSA extension to each of the victim’s files.\r\nRansom notes are delivered via a !!!READ_ME_MEDUSA!!!.txt that provides instructions, a unique\r\nidentifier, and warnings of future actions if payment is not made.\r\nThe attack is then announced on the Medusa Blog.\r\nHow to Defend Against Medusa Ransomware: 8 Effective Tips\r\nProtecting your business network against Medusa ransomware threats requires a range of security controls and\r\nbest practices.\r\nMethods promoted in the recent Medusa advisory include:\r\n1. Developing extensive recovery plans that include backups of sensitive business data stored in physically\r\nseparated locations.\r\n2. Utilizing strong authentication processes that comply with NIST standards. This includes strong\r\npassword management processes and multifactor authentication, particularly for your most sensitive\r\nsystems.\r\n3. Tracking all of your software (including operating systems and firmware) and ensuring they remain up to\r\ndate with patches for the latest vulnerabilities.\r\n4. Segmenting your network to prevent the Medusa ransomware tactics of scanning networks for lateral\r\nmovement and greater access after the initial breach.\r\n5. Monitoring network activity and developing methods of identifying abnormal or suspicious behavior.\r\nThis includes tools for endpoint detection and response.\r\n6. Ensuring employees remotely accessing your network utilize VPNs for secure connectivity.\r\nhttps://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/medusa-ransomware-group/\r\nPage 3 of 4\n\n7. Auditing accounts for access and applying the principle of least privilege, where users only have access to\r\nthe data and resources they need based on their role.\r\n8. Filtering network traffic and blocking packets from unknown or untrustworthy sources.\r\nEnhance Ransomware Protection with Check Point Solutions\r\nYou need a dedicated solution to implement these methods and protect your business against Medusa ransomware\r\nin 2025 and beyond. Check Point Endpoint Security from Check Point offers comprehensive Anti-ransomware\r\nprotection against the most sophisticated attacks. The solution provides:\r\nComplete endpoint protection\r\nAutomated ransomware attack detection and remediation\r\nFast recovery to ensure business continuity\r\nAll this comes in a single, cost-effective product that can be tailored to meet your security and compliance needs.\r\nFind out how Check Point Endpoint Security mitigates the risk posed by the top ransomware groups and most\r\nadvanced threats by booking a demo today.\r\nSource: https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/medusa-ransomware-group/\r\nhttps://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/medusa-ransomware-group/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.checkpoint.com/cyber-hub/threat-prevention/ransomware/medusa-ransomware-group/"
	],
	"report_names": [
		"medusa-ransomware-group"
	],
	"threat_actors": [
		{
			"id": "c9da8a50-6b5b-4101-bd95-a49c66197004",
			"created_at": "2025-10-29T02:00:51.81803Z",
			"updated_at": "2026-04-10T02:00:05.243328Z",
			"deleted_at": null,
			"main_name": "Medusa Group",
			"aliases": [
				"Medusa Group"
			],
			"source_name": "MITRE:Medusa Group",
			"tools": [
				"certutil",
				"Rclone",
				"Medusa Ransomware",
				"Mimikatz",
				"PsExec"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b",
			"created_at": "2022-10-25T16:07:23.303713Z",
			"updated_at": "2026-04-10T02:00:04.530417Z",
			"deleted_at": null,
			"main_name": "ALPHV",
			"aliases": [
				"ALPHV",
				"ALPHVM",
				"Ambitious Scorpius",
				"BlackCat Gang",
				"UNC4466"
			],
			"source_name": "ETDA:ALPHV",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BlackCat",
				"GO Simple Tunnel",
				"GOST",
				"Impacket",
				"LaZagne",
				"MEGAsync",
				"Mimikatz",
				"Munchkin",
				"Noberus",
				"PsExec",
				"Remcom",
				"RemoteCommandExecution",
				"WebBrowserPassView"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434531,
	"ts_updated_at": 1775791779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fb0b4a047a282ce73fc7b08a184e509280ea220b.pdf",
		"text": "https://archive.orkl.eu/fb0b4a047a282ce73fc7b08a184e509280ea220b.txt",
		"img": "https://archive.orkl.eu/fb0b4a047a282ce73fc7b08a184e509280ea220b.jpg"
	}
}