Medusa ransomware has quickly become a prominent threat, targeting sectors where disruption can be devastating. Its operators remain elusive, using a Ransomware-as-a-Service model and aggressive extortion tactics to pressure victims.

Understanding how to prevent Medusa ransomware requires more than generic security advice—it demands a close look at how they operate. In this blog, we will break down who is behind Medusa ransomware, their tactics, the sectors they target, and actionable ways to defend against them.

» Protect your business from ransomware today: Try KELA for free

Who Is Behind Medusa Ransomware?

The identities of the Medusa ransomware group's operators remain unknown, but they are tracked by security firms as Spearwing and GOLD+BERG. A Ransomware-as-a-Service (RaaS) model has been operated since 2022, with financial motivations driving the group to employ double and triple extortion tactics—data encryption, threats of public leaks on the "Medusa Blog," and DDoS attacks.

Although not formally linked to nation-states, they differ from the older MedusaLocker malware and actively recruit affiliates on cybercriminal forums for attack execution.

» See our complete guide to combating ransomware

Which Organizations Does Medusa Target?

Healthcare and Public Sector

The healthcare and public sectors are targeted by Medusa due to their reliance on continuous operational uptime and the sensitive nature of their data. Service disruptions can lead to life-threatening outcomes, increasing the urgency to pay ransoms.

Attackers exploit limited security budgets and complex networks through phishing campaigns and by targeting vulnerable, internet-facing remote access tools like RDP for initial access.

Education

Educational institutions, including K-12 districts and universities, are often targeted by Medusa. Their appeal lies in large, decentralized networks used by non-technical users (students), widespread BYOD policies, and frequently under-resourced IT security teams.

This situation creates a broad attack surface with many potential entry points for phishing campaigns and exploitation of unpatched, public-facing applications.

Manufacturing

Manufacturing companies are targeted by Medusa due to the significant financial impact of operational downtime. The convergence of Information Technology (IT) and Operational Technology (OT) networks introduces unique risks. An attack that disrupts production lines can incur millions in losses per day, increasing the likelihood of ransom payments.

Vulnerabilities are commonly found in legacy industrial control systems and inadequately secured remote management software.

» Learn more about how hackers gain entry to your systems

Cyber Threat Intelligence

Detect and mitigate attacks on finance and healthcare systems with real-time insights and continuous monitoring.

Contact Us



Medusa Ransomware: Attack Tactics, Techniques, and Procedures (TTPs)

The Medusa ransomware group employs a structured, multi-stage attack chain that guides its operations from initial network entry to data theft and extortion.

• Initial access: Affiliates gain entry through phishing campaigns, credential theft, or by exploiting unpatched public-facing applications (e.g., ConnectWise CVE-2024-1709, ScreenConnect), often sourced via access brokers.
• Establishing foothold & defense evasion: Attackers use living-off-the-land tools like PowerShell and WMI, bypass UAC via COM objects, disable endpoint detection and response (EDR), and clean command histories to avoid detection.
• Discovery & lateral movement: Internal reconnaissance is performed using tools such as Advanced IP Scanner, CMD, and PowerShell. Credential dumping (e.g., via Mimikatz) is followed by lateral movement using RDP, PsExec, PDQ Deploy, and other remote services.
• Exfiltration & encryption: Data is exfiltrated via Rclone to cloud storage for leverage in extortion. The encryptor (gaze.exe) is then deployed across endpoints and servers using tools like BigFix. Backups are deleted, security services are halted, and files are encrypted with AES-256.
• Extortion & public pressure: Victims face double or triple extortion through threats of public leaks on Medusa’s .onion site or Telegram channels. Negotiations occur via email, Tor, or phone, often within tight 48-hour deadlines.

» Learn more about how ransomware operators gain access

Tailored Defenses Against Medusa's TTPs

Here are practical, tailored defenses against Medusa ransomware, aligned with its specific TTPs, and supported by official advisories.

1. Patch Critical Software Quickly

• Why: Medusa exploits public-facing vulnerabilities like ConnectWise ScreenConnect (CVE‑2024‑1709) to gain access
• Mitigation: Implement a risk-based patch cadence where critical systems are patched within 48–72 hours. Track vulnerable services and monitor patch feeds from vendors to stay ahead of known exploits like the one for ConnectWise ScreenConnect (CVE-2024-1709).

2. Restrict and Harden Remote Access

• How: Affiliates use legitimate remote access tools like AnyDesk, RDP, VPN, and ScreenConnect to move laterally within a network.
• Mitigation: Disable unused ports (e.g., RDP), enforce MFA, restrict remote administration tools via allow-lists and firewall rules, and monitor for unusual remote access sessions.

3. Enable Network Segmentation

• Why: Medusa spreads across flat networks to access backup and data stores.
• Mitigation: Segment internal networks by function or trust zone. Tightly control access between endpoints, servers, and backup zones, and apply zero-trust principles.

» Did you know? Ransomware groups are now selling network access directly

4. Deploy Behavior-based EDR/XDR

• Why: Medusa uses malicious signed drivers to disable security defenses.
• Mitigation: Use EDR/XDR with anti-ransomware modules to detect anomalous driver loads, attempts to delete shadow copies, and the execution of the gaze.exe ransomware payload.

5. Monitor for Data Exfiltration Tools

• Why: Medusa commonly uses rclone over HTTPS to move stolen data.
• Mitigation: Create SIEM/IDS alerts for rclone, certutil downloads, and large volumes of outbound encrypted data; block untrusted domains at proxy/firewall.

6. Implement Immutable & Offline Backups

• Why: Medusa deletes shadow copies and targets backups for destruction.
• Mitigation: Maintain immutable and offline backups across different zones. Test your recovery process quarterly to ensure reliability in the event of a ransomware attack.

7. Test with Breach Simulation & Threat Hunting

• Why: The FBI and CISA recommend testing defenses by mimicking Medusa's MITRE ATT&CK TTPs.
• Mitigation: Run red-team exercises or Breach and Attack Simulation (BAS) tools to simulate UAC bypass, lateral movement, and ransomware encryption paths. Tune alerts based on identified detection gaps.

» Learn more: The ransomware path from start to end

Proactive Patch and Vulnerability Management Against Medusa

To counter the Medusa ransomware group, organizations must structure a risk-based patch and vulnerability management program that prioritizes speed and real-world threat intelligence over simple compliance.

The Program Should Be Structured Around Three Key Steps:

• Continuous discovery: Automate the continuous scanning of the external, internet-facing attack surface to identify all exposed services like RDP, VPNs, and web applications.

• Threat-informed prioritization: Move beyond relying solely on CVSS scores. Prioritize patching based on the CISA Known Exploited Vulnerabilities (KEV) Catalog. Vulnerabilities listed in the KEV catalog are proven to be actively exploited by threat actors and should be treated as immediate, critical risks.

• Aggressive remediation: Enforce strict Service-Level Agreements (SLAs) for patching. For any vulnerability on an internet-facing system that appears in the KEV catalog, the remediation window should be no more than 72 hours.

» Make sure you know the difference between a vulnerability, a threat, and a risk

Real-World Victims of Medusa Ransomware

Based on claims from the group's public data leak site and reports from cybersecurity analysts, here is a list of prominent organizations that have fallen victim to the Medusa ransomware group.

Public Sector & Education

• Philippine Health Insurance Corporation (PhilHealth): A major attack in September 2023 compromised the personal data of millions of members.

• Minneapolis Public Schools (MPS): In March 2023, Medusa leaked a large volume of sensitive data, including student records and personnel files, after the district refused to pay a $1 million ransom.

Finance & Technology

• Toyota Financial Services: Medusa claimed responsibility for a November 2023 breach, threatening to leak sensitive corporate data from the automotive financial giant.

» Learn more: Key cyber threats facing the financial sector

Critical Infrastructure & Utilities

• Tonga Power Ltd: The public power utility for the island nation of Tonga was listed as a victim on Medusa's leak site.

» Worried you might be in danger? Here's how to know if you are an ideal ransomware victim

Defending Against AI-Enhanced Medusa Attacks

If Medusa operators begin using generative AI to automate their attacks, defense strategies must become more proactive and intelligent. Organizations should deploy AI-driven security tools that use machine learning for real-time threat detection. These advanced solutions can identify and block AI-generated phishing messages that easily bypass traditional filters.

KELA Cyber Can Help You Get Ahead

KELA provides crucial visibility into the cybercrime underground, giving you an early warning of new tactics. It tracks the spread of "dark AI tools" like WormGPT that Medusa affiliates might use and monitors discussions about new "jailbreaking techniques," offering intelligence on future attack methods before they are even deployed.

» Not convinced? Here are the reasons you need cyber threat intelligence

Outsmart AI-Driven Ransomware

Track emerging AI threats and act before they impact your network.

Start for FREE



Outsmarting Medusa with Proactive Intelligence

Medusa ransomware thrives on speed, stealth, and exploiting weak points in critical industries. Defending against them is not just about patching—it’s about proactive monitoring, restricting remote access, segmenting networks, and preparing for their evolving tactics. Threat intelligence plays a crucial role here. KELA Cyber provides early warnings by tracking dark web chatter, identifying emerging vulnerabilities, and uncovering Medusa’s latest tools before they strike. By combining this intelligence with robust internal defenses, organizations can stay ahead instead of reacting after the fact. The question is: are you prepared to outpace Medusa’s next move?

» Ready to begin? Set a FREE session with our experts