The Medusa ransomware gang has infected more than 300 organizations in critical infrastructure sectors such as the medical, manufacturing and technology industries.
That’s according to a joint cybersecurity advisory published Wednesday by CISA, the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The agencies noted that Medusa — which is not connected to MedusaLocker ransomware — has been active since 2021 and initially began as a closed ransomware operation.
“While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers,” the advisory said. “Both Medusa developers and affiliates — referred to as ‘Medusa actors’ in this advisory — employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.”
According to the advisory, Medusa developers typically employ initial access brokers on cybercriminal forums to obtain entry into victims’ environments. During the attacks, Medusa actors use a wide range of legitimate software to move laterally, including remote access tools like AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp and Splashtop. Additionally, the threat actors frequently use Advanced IP Scanner and SoftPerfect Network Scanner to gather information on targeted users, systems and networks.
Medusa hides behind legit tools
The agencies said Medusa actors typically execute living-off-the-land (LotL) techniques to evade detection as well as several PowerShell techniques that feature “increasing complexity.” A key component of some attacks, according to the advisory, is applying vulnerable or signed drivers in what is known as “bring your own vulnerable driver” or BYOVD attacks. The advisory said Medusa actors use BYOVD to kill and even delete endpoint detection and response products.
In a blog post last week, Symantec’s Threat Hunter team noted that Medusa activity increased 42% year-over-year in 2024 and continued rising in January and February. The researchers also highlighted extensive use of both legitimate drivers as well as custom-developed malicious tools like AVKill and POORTRY to bypass or disable security software.
“BYOVD is a technique that has been increasingly used in ransomware attack chains over the last two years,” the blog post said. “In almost all Medusa attacks, KillAV and associated vulnerable drivers are used in this part of the attack chain to download drivers and disable security software.”
Symantec’s Threat Hunter team investigated an attack in January against a healthcare entity and found the Medusa actors used AVKill, POORTRY and an unknown driver to disable the organization’s defenses. The attackers also used RClone, an open source tool, for data exfiltration and PsExec to issue commands remotely. The researchers noted that the ransomware executable deleted itself after encrypting targeted systems and files.
CISA, the FBI and MS-ISAC recommended several steps to mitigate the threat of Medusa ransomware, including disabling command-line and scripting activities and permissions to limit LotL techniques. “Privilege escalation and lateral movement often depend on software utilities running from the command line,” the advisory said. “If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally.”
