Introduction
Medusa is a long-time presence in the ransomware scene that stepped up its activities in late 2024, pushing past its previous limits.
Activities and Tactics
Targeted Sectors: Healthcare, Education, Government, Technology
Country of Origin: 🏳️ Unknown
Risk Level: High
First Seen: 2021
Last Activity: 2025
Notable Campaigns
Information pending cataloguing.
Tactics, Techniques, and Procedures (TTPs)
Ransomware Vulnerability Matrix observations
| Category | Vendor | Product | CVEs |
|---|---|---|---|
| Virtualization | Citrix | NetScaler ADC & Gateway | CVE-2023-4966 |
| Applications | ConnectWise | ScreenConnect | CVE-2024-1708, CVE-2024-1709 |
| Network Edge | Fortinet | FortiClientEMS | CVE-2023-48788 |
| Applications | SimpleHelp | SimpleHelp RMM | CVE-2024-57727 |
Notable Indicators of Compromise (IOCs)
No curated IOCs are currently published for this actor. This section will be updated when stable, attributable indicators are available.
Malware and Tools
- CORESHELL:
- CyberGate:
- Cyber Eye RAT:
- Xpert:
- Xploit:
Ransomware Tool Matrix observations
| Category | Observed tools |
|---|---|
| Credential Theft | Invoke-TheHash, Mimikatz |
| Defense Evasion | EDRSandBlast, HRSword, KillAV, PCHunter, ProcessHacker, ThrottleStop driver |
| Discovery | Advanced IP Scanner, Advanced Port Scanner, Navicat, PDQ Inventory, RoboCopy, SoftPerfect NetScan |
| Exfiltration | RClone |
| LOLBAS | BITSAdmin, Process Explorer, PsExec |
| Networking | Cloudflared, FRP, Ligolo, PuTTY, RevSocks |
| OffSec | Impacket |
| RMM Tools | AnyDesk, Atera, HCL BigFix, N-Able, PDQ Deploy, Remote Desktop Plus (RDP+), ScreenConnect, SimpleHelp, Splashtop, eHorus |
Attribution and Evidence
Country of Origin: Unknown Additional attribution information pending cataloguing.
References
References pending cataloguing.