1. Overview
Medusa is a highly active ransomware group first observed in late 2022, operating under a double extortion model with increasing aggression. The group quickly rose to prominence in 2023 for its high-impact intrusions, its distinctive leak site branded as the “Medusa Blog,” and its use of public-facing shaming tactics to pressure victims into payment.
Unlike traditional Ransomware-as-a-Service (RaaS) operations, Medusa appears to maintain centralised control, overseeing both payload development and extortion negotiations. Its operations span government, education, healthcare, and financial services, with victims located across Europe, the Americas, and the Asia-Pacific region.
2. Origin and Evolution
Medusa first gained attention in late 2022 through attacks on educational institutions in the United States. Initially mistaken for a clone of the MedusaLocker ransomware family, forensic analysis quickly revealed that Medusa is a distinct threat group, with its own infrastructure, tooling, and strategic playbook.
Throughout 2023 and into 2024, Medusa dramatically expanded its operations, refining its encryption techniques, increasing the use of custom-built payloads, and adopting media-style leak announcements to raise pressure during ransom negotiations. The group has shown particular interest in public sector institutions and educational bodies, likely due to their often limited security budgets and high sensitivity to data leaks.
3. Tactics, Techniques, and Procedures (TTPs)
Medusa conducts multi-stage intrusions, employing tools and techniques consistent with other high-tier ransomware actors:
- Initial Access:
Exploitation of vulnerabilities in public-facing systems (T1190), brute-force attacks on exposed RDP services (T1110), and phishing campaigns targeting administrative personnel (T1566.001). - Lateral Movement:
Use of Cobalt Strike, RDP, PsExec, and Mimikatz for internal traversal and privilege escalation (T1055, T1021). - Data Exfiltration:
Tools like WinSCP, FileZilla, and Rclone are used to extract sensitive data before the encryption phase (T1041). - Encryption:
Medusa employs multithreaded AES encryption, renames encrypted files with.MEDUSA, and drops detailed ransom notes containing TOR links and victim-specific IDs. - Persistence & Evasion:
The group uses scheduled tasks, registry edits (T1112), and anti-recovery techniques, such as shadow copy deletion (T1490), to inhibit system recovery and conceal tracks.
4. Targeting Profile
Medusa casts a wide net across both private and public sector targets, with a preference for:
- Educational institutions and universities
- Healthcare providers and hospitals
- Government agencies and municipalities
- Financial services, insurance firms, and data processors
Victims in the UK and EU have included academic institutions, regional government offices, and small-to-medium private sector enterprises holding regulated personal data.
5. Notable Campaigns and Victims
Medusa has made headlines with several high-profile attacks since 2023, including:
- The Minneapolis Public Schools (US) in 2023, where over 100GB of sensitive data was leaked publicly.
- A European insurance brokerage, where confidential client data and financial records were exfiltrated and leaked.
- An Australian healthcare provider, resulting in operational downtime and patient data exposure.
The group’s leak site, known as the Medusa Blog, actively publishes victim profiles, ransom timers, and downloadable datasets, making it a reputational risk for any organisation that refuses to pay.
6. Ransomware and Leak Site Behaviour
Medusa’s extortion strategy is among the most aggressive in the ransomware landscape. The “Medusa Blog” functions as a central pressure point, with features including:
- Victim listings with countdown timers
- Sample data leaks to prove exfiltration
- Download options for full data sets if ransom demands are ignored
- Public visibility, with journalists and data brokers openly referencing the blog
The group’s ransom demands range from £100,000 to over £1 million, depending on victim profile. Negotiation is conducted via TOR, and communication is often transactional, with little tolerance for delays.
7. Technical Indicators
Common indicators of Medusa activity include:
- File extensions:
.MEDUSA - Use of
winscp.exe,rclone.exe, and7zip.exein temporary directories - Ransom notes named
!!!READ_ME_MEDUSA!!!.txt - Registry changes disabling recovery tools and event logs
- IP addresses associated with bulletproof hosting providers in Russia and Southeast Asia
UK Cyber Defence Ltd provides Medusa-specific IOC packs and detection signatures to enterprise clients.
8. Defensive Measures and Recommendations
To reduce the risk posed by Medusa ransomware, UK organisations are strongly advised to:
- Enforce multi-factor authentication (MFA) for remote and privileged access
- Monitor for shadow copy deletion, PowerShell misuse, and scheduled task creation
- Patch exposed infrastructure, particularly VPN appliances, email gateways, and ESXi hosts
- Maintain offline, immutable backups tested regularly
- Conduct phishing simulations and cyber awareness training
- Prepare incident response plans that include data breach notification strategies
9. Attribution and Alliances
There is no formal attribution of Medusa to a known nation-state. However, the group exhibits operational discipline, custom tooling, and signs of collaboration with initial access brokers (IABs)—suggesting it is part of a wider criminal supply chain. Analysts speculate that former members of Egregor or REvil may be involved, based on code artefacts and negotiation styles.
Medusa does not currently run an affiliate programme, reinforcing the belief that it operates a closed and internally managed model.
10. Conclusion
Medusa represents a potent and fast-evolving ransomware threat, with its combination of public shaming, tailored payloads, and high-pressure extortion tactics posing a serious challenge to UK and international organisations alike. Its targeting of education, healthcare, and public services—sectors often underfunded in cybersecurity—makes it a particularly disruptive actor. A layered security posture, continuous monitoring, and effective crisis response remain the most effective countermeasures.
Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025
