Prevent Medusa Ransomware: Essential Security Steps

Upcoming Webinar / Breached By Association - Outsmarting Cyber Risk In Your Supply Chain

Read more

In this article

Preventing Medusa Ransomware: A Step-by-Step Security Checklist

Medusa ransomware uses aggressive extortion and rapid attack methods to hit critical industries. This blog explains their tactics and shows how KELA Cyber can help you stay one step ahead.

a black and red logo with the word kela on it
By KELA Cyber Team
Danell BIO
Edited by Danéll Theron

Updated September 5, 2025

Preventing Medusa Ransomware: A Step-by-Step Security Checklist

Medusa ransomware has quickly become a prominent threat, targeting sectors where disruption can be devastating. Its operators remain elusive, using a Ransomware-as-a-Service model and aggressive extortion tactics to pressure victims.

Understanding how to prevent Medusa ransomware requires more than generic security advice—it demands a close look at how they operate. In this blog, we will break down who is behind Medusa ransomware, their tactics, the sectors they target, and actionable ways to defend against them.

» Protect your business from ransomware today: Try KELA for free



Who Is Behind Medusa Ransomware?

The identities of the Medusa ransomware group's operators remain unknown, but they are tracked by security firms as Spearwing and GOLD+BERG. A Ransomware-as-a-Service (RaaS) model has been operated since 2022, with financial motivations driving the group to employ double and triple extortion tactics—data encryption, threats of public leaks on the "Medusa Blog," and DDoS attacks.

Although not formally linked to nation-states, they differ from the older MedusaLocker malware and actively recruit affiliates on cybercriminal forums for attack execution.

» See our complete guide to combating ransomware



Which Organizations Does Medusa Target?

Healthcare and Public Sector

The healthcare and public sectors are targeted by Medusa due to their reliance on continuous operational uptime and the sensitive nature of their data. Service disruptions can lead to life-threatening outcomes, increasing the urgency to pay ransoms.

Attackers exploit limited security budgets and complex networks through phishing campaigns and by targeting vulnerable, internet-facing remote access tools like RDP for initial access.

Education

Educational institutions, including K-12 districts and universities, are often targeted by Medusa. Their appeal lies in large, decentralized networks used by non-technical users (students), widespread BYOD policies, and frequently under-resourced IT security teams.

This situation creates a broad attack surface with many potential entry points for phishing campaigns and exploitation of unpatched, public-facing applications.

Manufacturing

Manufacturing companies are targeted by Medusa due to the significant financial impact of operational downtime. The convergence of Information Technology (IT) and Operational Technology (OT) networks introduces unique risks. An attack that disrupts production lines can incur millions in losses per day, increasing the likelihood of ransom payments.

Vulnerabilities are commonly found in legacy industrial control systems and inadequately secured remote management software.

» Learn more about how hackers gain entry to your systems

Cyber Threat Intelligence

Detect and mitigate attacks on finance and healthcare systems with real-time insights and continuous monitoring.




Medusa Ransomware: Attack Tactics, Techniques, and Procedures (TTPs)

The Medusa ransomware group employs a structured, multi-stage attack chain that guides its operations from initial network entry to data theft and extortion.

This structured attack lifecycle showcases a high degree of operational maturity and automation designed to maximize impact and pressure victims to pay.

» Learn more about how ransomware operators gain access



Tailored Defenses Against Medusa's TTPs

Here are practical, tailored defenses against Medusa ransomware, aligned with its specific TTPs, and supported by official advisories.

1. Patch Critical Software Quickly

  • Why: Medusa exploits public-facing vulnerabilities like ConnectWise ScreenConnect (CVE‑2024‑1709) to gain access
  • Mitigation: Implement a risk-based patch cadence where critical systems are patched within 48–72 hours. Track vulnerable services and monitor patch feeds from vendors to stay ahead of known exploits like the one for ConnectWise ScreenConnect (CVE-2024-1709).

2. Restrict and Harden Remote Access

  • How: Affiliates use legitimate remote access tools like AnyDesk, RDP, VPN, and ScreenConnect to move laterally within a network.
  • Mitigation: Disable unused ports (e.g., RDP), enforce MFA, restrict remote administration tools via allow-lists and firewall rules, and monitor for unusual remote access sessions.

3. Enable Network Segmentation

» Did you know? Ransomware groups are now selling network access directly

4. Deploy Behavior-based EDR/XDR

  • Why: Medusa uses malicious signed drivers to disable security defenses.
  • Mitigation: Use EDR/XDR with anti-ransomware modules to detect anomalous driver loads, attempts to delete shadow copies, and the execution of the gaze.exe ransomware payload.

5. Monitor for Data Exfiltration Tools

  • Why: Medusa commonly uses rclone over HTTPS to move stolen data.
  • Mitigation: Create SIEM/IDS alerts for rclone, certutil downloads, and large volumes of outbound encrypted data; block untrusted domains at proxy/firewall.

6. Implement Immutable & Offline Backups

  • Why: Medusa deletes shadow copies and targets backups for destruction.
  • Mitigation: Maintain immutable and offline backups across different zones. Test your recovery process quarterly to ensure reliability in the event of a ransomware attack.

7. Test with Breach Simulation & Threat Hunting

  • Why: The FBI and CISA recommend testing defenses by mimicking Medusa's MITRE ATT&CK TTPs.
  • Mitigation: Run red-team exercises or Breach and Attack Simulation (BAS) tools to simulate UAC bypass, lateral movement, and ransomware encryption paths. Tune alerts based on identified detection gaps.

By combining these targeted controls—including swift patching, restricted admin tools, advanced behavioral detection, and immutable backups—you can create a robust defense that actively disrupts Medusa's attack chain instead of just relying on generic prevention methods.

» Learn more: The ransomware path from start to end

Ransomware Protection

Detect, assess, and mitigate ransomware threats in real time. KELA gives your organization the visibility and intelligence to act before damage occurs.




Proactive Patch and Vulnerability Management Against Medusa

To counter the Medusa ransomware group, organizations must structure a risk-based patch and vulnerability management program that prioritizes speed and real-world threat intelligence over simple compliance.

The Program Should Be Structured Around Three Key Steps:

  • Continuous discovery: Automate the continuous scanning of the external, internet-facing attack surface to identify all exposed services like RDP, VPNs, and web applications.

  • Threat-informed prioritization: Move beyond relying solely on CVSS scores. Prioritize patching based on the CISA Known Exploited Vulnerabilities (KEV) Catalog. Vulnerabilities listed in the KEV catalog are proven to be actively exploited by threat actors and should be treated as immediate, critical risks.

  • Aggressive remediation: Enforce strict Service-Level Agreements (SLAs) for patching. For any vulnerability on an internet-facing system that appears in the KEV catalog, the remediation window should be no more than 72 hours.

» Make sure you know the difference between a vulnerability, a threat, and a risk



Real-World Victims of Medusa Ransomware

Based on claims from the group's public data leak site and reports from cybersecurity analysts, here is a list of prominent organizations that have fallen victim to the Medusa ransomware group.

Take note: This is not a complete list, as many attacks go unreported, and new victims are frequently added to the group's leak site.

Public Sector & Education

Finance & Technology

  • Toyota Financial Services: Medusa claimed responsibility for a November 2023 breach, threatening to leak sensitive corporate data from the automotive financial giant.

» Learn more: Key cyber threats facing the financial sector

Critical Infrastructure & Utilities

  • Tonga Power Ltd: The public power utility for the island nation of Tonga was listed as a victim on Medusa's leak site.

» Worried you might be in danger? Here's how to know if you are an ideal ransomware victim



Defending Against AI-Enhanced Medusa Attacks

If Medusa operators begin using generative AI to automate their attacks, defense strategies must become more proactive and intelligent. Organizations should deploy AI-driven security tools that use machine learning for real-time threat detection. These advanced solutions can identify and block AI-generated phishing messages that easily bypass traditional filters.

Did you know? In 2024, there was a 200% increase in mentions of malicious AI tools on cybercrime forums, highlighting a growing underground market for AI-assisted cybercrime

KELA Cyber Can Help You Get Ahead

KELA provides crucial visibility into the cybercrime underground, giving you an early warning of new tactics. It tracks the spread of "dark AI tools" like WormGPT that Medusa affiliates might use and monitors discussions about new "jailbreaking techniques," offering intelligence on future attack methods before they are even deployed.

» Not convinced? Here are the reasons you need cyber threat intelligence

Outsmart AI-Driven Ransomware

Track emerging AI threats and act before they impact your network.




Outsmarting Medusa with Proactive Intelligence

Medusa ransomware thrives on speed, stealth, and exploiting weak points in critical industries. Defending against them is not just about patching—it’s about proactive monitoring, restricting remote access, segmenting networks, and preparing for their evolving tactics. Threat intelligence plays a crucial role here. KELA Cyber provides early warnings by tracking dark web chatter, identifying emerging vulnerabilities, and uncovering Medusa’s latest tools before they strike. By combining this intelligence with robust internal defenses, organizations can stay ahead instead of reacting after the fact. The question is: are you prepared to outpace Medusa’s next move?

» Ready to begin? Set a FREE session with our experts

FAQs

What is Medusa ransomware and who operates it?

Medusa ransomware is a Ransomware-as-a-Service (RaaS) group active since 2022. Its operators remain unidentified but are tracked under names like Spearwing and GOLD+BERG. They use double and triple extortion tactics, including data encryption, public leaks, and DDoS attacks.

Which sectors are most targeted by Medusa?

Medusa primarily targets healthcare, public sector, education, and manufacturing. These sectors are attractive due to high operational reliance, sensitive data, large networks, and potential financial losses from downtime.

How does Medusa gain access to networks?

Initial access is often achieved through phishing campaigns, credential theft, and exploiting unpatched, internet-facing applications such as RDP or ConnectWise vulnerabilities. Affiliates then use living-off-the-land tools, lateral movement, and credential dumping to spread within networks.