Medusa
activeAlso known as: Medusa Ransomware, MedusaLocker
Medusa is a ransomware group that operates both as standalone attacks and through an affiliate RaaS model. They are known for their aggressive negotiation tactics and have a leak site called 'Medusa Blog'.
First Seen
2021-06
Last Activity
2025-01
Target Regions
3 regions
Industries
5 sectors
HealthcareEducationLegalManufacturingTechnology
Attack Chain (MITRE ATT&CK)
Visual representation of the attack phases and techniques used by Medusa
Click on a phase to view details and MITRE ATT&CK technique IDs
Tactics & Techniques
MITRE ATT&CK mapped tactics and techniques used by this threat actor
Indicators of Compromise (IOCs)
Known IOCs associated with Medusa operations
| Type | Value | Description | Last Seen | Actions |
|---|---|---|---|---|
| hash | c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0 | Medusa ransomware binary | 2025-01-14 | |
| filename | !!!READ_ME_MEDUSA!!!.txt | Ransom note | — |
IOCs are defanged for safety. Click copy to get the clean value.
Detection Guidance
SIEM and EDR detection recommendations for identifying Medusa activity
- 1Monitor for RDP brute-force attempts
- 2Detect bcdedit boot configuration changes
- 3Alert on mass file encryption
- 4Monitor for Medusa-specific ransom notes
Mitigation, Containment & Recovery
Step-by-step guidance for responding to and recovering from this ransomware attack
- 1Disable RDP if not essential
- 2Implement account lockout policies
- 3Block IOCs at perimeter