G1051: Medusa Group
Medusa Group has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” [1] [2] Medusa Group employs living-off-the-land techniques, frequently leveraging publicly available tools and common remote management software to conduct operations. The group engages in double extortion tactics, exfiltrating data prior to encryption and threatening to publish stolen information if ransom demands are not met. [3] For initial access, Medusa Group has exploited publicly known vulnerabilities, conducted phishing campaigns, and used credentials or access purchased from Initial Access Brokers (IABs). The group is opportunistic and has targeted a wide range of sectors globally. [4]
Analyst context for executives and security teams
Medusa Group matters because ATT&CK describes it as a ransomware group that evolved into a Ransomware-as-a-Service operation and uses double extortion: data theft before encryption. For leaders, the decision point is not only “can we stop ransomware,” but whether the organization can prove it can resist credential theft, remote access abuse, living-off-the-land activity, data exfiltration, and rapid lateral movement before encryption begins.
Executive priority
Prioritize this as an operational resilience and incident readiness issue. The ATT&CK relationships point to credential access against LSASS and NTDS, use of valid accounts, RDP, WMI, PsExec, PowerShell/cmd, software deployment tools, and Rclone-style cloud synchronization. Executives should ask whether privileged identity controls, remote administration governance, vulnerability exposure management, egress monitoring, backup recovery, and ransomware communications/legal workflows are tested together—not as separate control checklists.
Technical view
SOC, detection engineering, and IR teams should validate coverage around the behavior chain implied by the relationships: initial access may involve known vulnerabilities, phishing, or purchased credentials; follow-on activity may include discovery, credential dumping, lateral movement over RDP/WMI/PsExec, command execution via PowerShell or Windows command shell, use of legitimate admin/deployment tools, file deletion or command-history clearing, web-protocol C2, Rclone-like exfiltration, and eventual Medusa ransomware execution. Because MITRE provides no dedicated detection text for this group object, detection should be built from the related techniques and tools rather than group-name matching.
Likely telemetry
- Identity provider, VPN, RDP, and externally exposed service authentication logs, especially successful logins from unusual sources or with privileged accounts
- Windows endpoint telemetry including process creation, command line, PowerShell activity, WMI activity, service creation, LSASS access, and suspicious access to domain controller credential stores
- Domain controller and Active Directory audit logs for privileged group enumeration, NTDS-related access, and abnormal administrative authentication paths
- Remote administration and software deployment tool logs, including PsExec-like execution and centralized deployment activity
- Network telemetry for internal discovery, service scanning, lateral movement, and unusual web-protocol command-and-control patterns
Detection direction
- Do not rely on ransomware binary signatures alone; tune for precursor behaviors such as credential dumping, domain discovery, remote execution, and unusual use of legitimate administration tools.
- Baseline legitimate use of RDP, WMI, PsExec, PowerShell, cmd, certutil, software deployment platforms, and Rclone-like utilities so alerts can focus on abnormal account, host, time, destination, and volume patterns.
- Correlate valid-account activity with discovery and lateral movement. A single successful login may look benign, but a login followed by domain group enumeration, remote system discovery, service discovery, and remote execution is higher risk.
- Treat Rclone/cloud-sync style egress as a data-loss and ransomware precursor signal, especially when observed from servers, domain-joined systems, or accounts that do not normally perform bulk transfers.
- Account for blind spots: unmanaged endpoints, incomplete command-line logging, limited PowerShell visibility, missing domain controller auditing, unmonitored remote management tools, and weak outbound traffic inspection can hide much of the described activity.
Mitigation priorities
- First reduce initial access exposure: patch publicly known vulnerabilities, harden phishing-resistant access paths where feasible, and review externally exposed remote access services.
- Strengthen identity controls: enforce MFA for remote access and privileged accounts, limit standing administrative privileges, monitor valid-account abuse, and protect domain controllers and credential stores.
- Constrain lateral movement: restrict RDP/WMI/PsExec use, segment critical systems, and govern centralized software deployment tools with strong approval, logging, and least privilege.
- Improve ransomware resilience: maintain protected, tested backups; define recovery priorities; and rehearse incident response decisions for data theft plus encryption scenarios.
- Limit exfiltration paths: monitor and control unsanctioned cloud storage synchronization tools and unusual outbound transfer volumes while preserving business-approved use cases.
Analyst notes and limits
This take is based on ATT&CK group G1051 and its supplied relationships. The strongest defensible interpretation is that Medusa Group represents a ransomware and double-extortion risk pattern involving credential theft, living-off-the-land administration, lateral movement, discovery, exfiltration tooling, and ransomware execution. Local control validation should be mapped to the related techniques and tools, not to the group name alone.
The ATT&CK object lists no platforms or tactics directly for the group and provides no official detection text. Platform references in this take come from the supplied related techniques and software. The object also describes opportunistic targeting across sectors globally, so organization-specific exposure, likelihood, and control effectiveness require local telemetry and asset context.
Medusa Group
Medusa Group has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” [1] [2] Medusa Group employs living-off-the-land techniques, frequently leveraging publicly available tools and common remote management software to conduct operations. The group engages in double extortion tactics, exfiltrating data prior to encryption and threatening to publish stolen information if ransom demands are not met. [3] For initial access, Medusa Group has exploited publicly known vulnerabilities, conducted phishing campaigns, and used credentials or access purchased from Initial Access Brokers (IABs). The group is opportunistic and has targeted a wide range of sectors globally. [4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1490 | Inhibit System Recovery | Medusa Group has deleted recovery files such as shadow copies using `vssadmin.exe`.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationCISA Medusa Group Medusa Ransomware March 2025CitationBroadcom Medusa Ransomware Medusa Group March 2025CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1047 | Windows Management Instrumentation | Medusa Group has utilized Windows Management Instrumentation to query system information.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationCISA Medusa Group Medusa Ransomware March 2025CitationIntel471 Medusa Ransomware May 2025 |
| Enterprise | T1570 | Lateral Tool Transfer | Medusa Group has utilized legitimate software services such as PDQ Deploy to transfer malicious binaries and tools to other victimized hosts within the target environment.CitationBroadcom Medusa Ransomware Medusa Group March 2025 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Medusa Group has used vulnerable or signed drivers to modify security solutions on victim devices.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1489 | Service Stop | Medusa Group has terminated services related to backups, security, databases, communication, filesharing and websites.CitationCISA Medusa Group Medusa Ransomware March 2025CitationBroadcom Medusa Ransomware Medusa Group March 2025CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1106 | Native API | Medusa Group has leveraged Windows Native API functions to execute payloads.CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1583.006 | Web Services Sub-technique | Medusa Group has utilized a file hosting service named filemail[.]com to host a zip file that contained malicious payloads that facilitated follow-on actions.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024 |
| Enterprise | T1608.002 | Upload Tool Sub-technique | Medusa Group has utilized a file hosting service called filemail[.]com to host a zip file that contained a RMM service such as ConnectWise.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Medusa Group has obfuscated PowerShell scripts with Base64 encoding.CitationCISA Medusa Group Medusa Ransomware March 2025 Medusa Group has also obfuscated the code of dropped kernel drivers using a software known as Safengine Shielden which randomized the code through code mutations and then leveraged an embedded virtual machine interpreter to execute the code.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024 |
| Enterprise | T1083 | File and Directory Discovery | Medusa Group has searched for files within the victim environment for encryption and exfiltration.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationCISA Medusa Group Medusa Ransomware March 2025CitationSecurity Scorecard Medusa Ransomware January 2024 Medusa Group has also identified files associated with remote management services.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1112 | Modify Registry | Medusa Group has modified Registry keys to elevate privileges, maintain persistence and allow remote access.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1588.002 | Tool Sub-technique | Medusa Group has obtained and leveraged numerous RMM services, along with publicly available tools used for scanning.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationCISA Medusa Group Medusa Ransomware March 2025CitationBroadcom Medusa Ransomware Medusa Group March 2025 Medusa Group has utilized tools such as Advanced IP Scanner and SoftPerfect Network scanner for user, system and network discovery.CitationCISA Medusa Group Medusa Ransomware March 2025 Medusa Group has also acquired tools for command and control and defense evasion which include tunneling tools Ligolo and Cloudflared.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1087.001 | Local Account Sub-technique | Medusa Group has leveraged `net user` for account discovery.CitationBroadcom Medusa Ransomware Medusa Group March 2025 |
| Enterprise | T1585.001 | Social Media Accounts Sub-technique | Medusa Group has created social media accounts including Telegram and X to publicize their activities.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationCheck Point Medusa Ransomware April 2025 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | Medusa Group has utilized Rclone to exfiltrate data from victim environments to cloud storage.CitationCISA Medusa Group Medusa Ransomware March 2025CitationBroadcom Medusa Ransomware Medusa Group March 2025 |
| Enterprise | T1070.003 | Clear Command History Sub-technique | Medusa Group has cleared command history by running the PowerShell command `Remove-Item (Get-PSReadlineOption).HistorySavePath`.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1650 | Acquire Access | Medusa Group has purchased user credentials and other sensitive data from Initial Access Brokers (IABs).CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationCheck Point Medusa Ransomware April 2025CitationCISA Medusa Group Medusa Ransomware March 2025CitationIntel471 Medusa Ransomware May 2025 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Medusa Group has communicated through reverse or bind shells over port 443 (HTTPS).CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1686 | Disable or Modify System Firewall | Medusa Group has utilized PsExec to execute batch scripts that modify firewall settings.CitationCISA Medusa Group Medusa Ransomware March 2025 Medusa Group has also enabled and modified firewall rules to allow for RDP connections for lateral movement and device interactions.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Medusa Group has utilized the `ShowWindow` API function to hide the current window.CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1135 | Network Share Discovery | Medusa Group has identified network shares using `cmd.exe /c net share`.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | Medusa Group has used TOR nodes for communications.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationCheck Point Medusa Ransomware April 2025CitationBroadcom Medusa Ransomware Medusa Group March 2025 |
| Enterprise | T1190 | Exploit Public-Facing Application | Medusa Group has leveraged public facing vulnerabilities in their campaigns against victim organizations to gain initial access.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationBroadcom Medusa Ransomware Medusa Group March 2025 Medusa Group has also utilized CVE-2024-1709 in ScreenConnect, and CVE-2023-48788 in Fortinet EMS for initial access to victim environments.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1218.014 | MMC Sub-technique | Medusa Group has leveraged Microsoft Management Console (MMC) to facilitate lateral movement and to interact locally or remotely with victim devices using the command `mmc.exe compmgmt.msc /computer:{hostname/ip}`.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1585.002 | Email Accounts Sub-technique | Medusa Group has created email accounts used in ransomware negotiations.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1078 | Valid Accounts | Medusa Group has utilized compromised legitimate local and domain accounts within the victim environment to facilitate remote access and lateral movement sometimes in combination with PsExec.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1105 | Ingress Tool Transfer | Medusa Group has leveraged certutil, PowerShell, and Windows Command to download additional tools to include RMM services.CitationCISA Medusa Group Medusa Ransomware March 2025 Medusa Group has also engaged in “Bring Your Own Vulnerable Driver” (BYOVD) and downloaded vulnerable or signed drivers to the victim environment to disable security tools.CitationCISA Medusa Group Medusa Ransomware March 2025CitationBroadcom Medusa Ransomware Medusa Group March 2025 |
| Enterprise | T1057 | Process Discovery | Medusa Group has utilized a hard-coded security tool process list that identifies and terminates using an undocumented IOCTL code 0x222094.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024 |
| Enterprise | T1559.001 | Component Object Model Sub-technique | Medusa Group has leveraged Component Object Model (COM) to bypass UAC.CitationIntel471 Medusa Ransomware May 2025 |
| Enterprise | T1219 | Remote Access Tools | Medusa Group has leveraged Remote Access Software for lateral movement and data exfiltration.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationCISA Medusa Group Medusa Ransomware March 2025CitationBroadcom Medusa Ransomware Medusa Group March 2025CitationSecurity Scorecard Medusa Ransomware January 2024 Medusa Group has also been known to utilize Remote Access Software such as AnyDesk, Atera, ConnectWise, eHorus, N-Able, PDQ Deploy, PDQ Inventory, SimpleHelp and Splashtop.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1003.003 | NTDS Sub-technique | Medusa Group has accessed the ntds.dit file to engage in credential dumping.CitationBroadcom Medusa Ransomware Medusa Group March 2025 |
| Enterprise | T1018 | Remote System Discovery | Medusa Group has used PDQ Inventory to get an inventory of the endpoints on the network.CitationBroadcom Medusa Ransomware Medusa Group March 2025 |
| Enterprise | T1569.002 | Service Execution Sub-technique | Medusa Group has utilized PsExec to execute scripts and commands within victim environments.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationCISA Medusa Group Medusa Ransomware March 2025CitationBroadcom Medusa Ransomware Medusa Group March 2025 Medusa Group has also used the Windows service RoboCopy to search and copy data for exfiltration.CitationBroadcom Medusa Ransomware Medusa Group March 2025 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Medusa Group has leveraged Mimikatz to dump LSASS to harvest credentials.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Medusa Group has used HTTPS for command and control.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1486 | Data Encrypted for Impact | Medusa Group has encrypted files using AES-256 encryption which then appends the file extension “.medusa” to encrypted files and leaves a ransomware note named “!READ_ME_MEDUSA!!!.txt.”CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationCISA Medusa Group Medusa Ransomware March 2025CitationBroadcom Medusa Ransomware Medusa Group March 2025CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Medusa Group has leveraged PowerShell for execution and defense evasion.CitationCheck Point Medusa Ransomware April 2025CitationCISA Medusa Group Medusa Ransomware March 2025CitationIntel471 Medusa Ransomware May 2025 Medusa Group has also utilized PowerShell to execute a bitsadmin transfer from file hosting site.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024 |
| Enterprise | T1136.002 | Domain Account Sub-technique | Medusa Group has created a domain account within the victim environment.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1657 | Financial Theft | Medusa Group has stolen and encrypted victims' data in order to extort victims into paying a ransom.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationCheck Point Medusa Ransomware April 2025CitationCISA Medusa Group Medusa Ransomware March 2025CitationIntel471 Medusa Ransomware May 2025CitationBroadcom Medusa Ransomware Medusa Group March 2025CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1652 | Device Driver Discovery | Medusa Group has queried drivers on the victim device through the command `driverquery`.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1690 | Prevent Command History Logging | Medusa Group has removed PowerShell command history through the use of the PSReadLine module by running the PowerShell command `Remove-Item (Get-PSReadlineOption).HistorySavePath`.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Medusa Group has packed the code of dropped kernel drivers using the packer ASM Guard.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Medusa Group has deleted previously installed tools.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Medusa Group has used Windows Command Prompt to control and execute commands on the system to include ingress, network, and filesystem enumeration activities.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | Medusa Group has utilized the `net group` command to query domain groups within the victim environment.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Medusa Group has utilized vulnerable or signed drivers to kill or delete services associated with endpoint detection and response (EDR) tools.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1505.003 | Web Shell Sub-technique | Medusa Group has utilized webshells to an exploited Microsoft Exchange Server.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024 |
| Enterprise | T1529 | System Shutdown/Reboot | Medusa Group has manually turned off and encrypted virtual machines.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Medusa Group has detected security solutions for termination or deletion within the victim device using hard-coded lists of strings containing security product executables.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024 |
| Enterprise | T1016 | System Network Configuration Discovery | Medusa Group has obtained host network details utilizing the command `cmd.exe /c ipconfig /all`.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1685 | Disable or Modify Tools | Medusa Group has terminated antivirus services utilizing the gaze.exe executable and utilizing `psexec.exe`.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationCISA Medusa Group Medusa Ransomware March 2025CitationBroadcom Medusa Ransomware Medusa Group March 2025 Medusa Group has also leveraged I/O control codes (IOCTLs) for terminating and deleting processes of identified security tools.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024 |
| Enterprise | T1046 | Network Service Discovery | Medusa Group has the capability to use living off the land (LOTL) binaries to perform network enumeration.CitationCISA Medusa Group Medusa Ransomware March 2025 Medusa Group has also utilized the publicly available scanning tool SoftPerfect Network Scanner (`netscan.exe`) to discover device hostnames and network services.CitationBroadcom Medusa Ransomware Medusa Group March 2025 |
| Enterprise | T1033 | System Owner/User Discovery | Medusa Group has utilized PsExec to execute `quser` to discover the user session information.CitationBroadcom Medusa Ransomware Medusa Group March 2025 |
| Enterprise | T1082 | System Information Discovery | Medusa Group has leveraged `cmd.exe` to identify system info `cmd.exe /c systeminfo`.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Medusa Group has used RDP to conduct lateral movement and exfiltrate data.CitationCISA Medusa Group Medusa Ransomware March 2025 Medusa Group has also utilized the Windows executable `mstsc.exe` for RDP activities through the command `mstsc.exe /v:{hostname/ip}`.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1072 | Software Deployment Tools | Medusa Group has utilized software deployment and management solutions to deploy their encryption payload to include BigFix and PDQ Deploy.CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Medusa Group has attempted to bypass UAC using Component Object Model (COM) interface.CitationIntel471 Medusa Ransomware May 2025 |
Groups, software, and campaigns
S0160: certutil
S1040: Rclone
S1244: Medusa Ransomware
Medusa Ransomware has been utilized in attacks since at least 2021. Medusa Ransomware has been known to be utilized in conjunction with living off the land techniques and remote management software. Medusa Ransomware has been used in campaigns associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Medusa Ransomware software was initially a closed ransomware variant which later evolved to a Ransomware as a Service (RaaS). Medusa Ransomware has impacted victims from a diverse range of sectors within a multitude of countries, and it is assessed Medusa Ransomware is used in an opportunistic manner.[1][2][3][4]
S0002: Mimikatz
S0029: PsExec
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2a3cd4c70af9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA Medusa Group Medusa Ransomware March 2025
Cybersecurity and Infrastructure Security Agency. (2025, March 12). AA25-071A #StopRansomware: Medusa Ransomware. Retrieved October 15, 2025.
Open source URL -
[2]
Broadcom Medusa Ransomware Medusa Group March 2025
Threat Hunter Team Symantec and Carbon Black. (2025, March 6). Medusa Ransomware Activity Continues to Increase. Retrieved October 15, 2025.
Open source URL -
[3]
Security Scorecard Medusa Ransomware January 2024
Vlad Pasca. (2024, January 1). A Deep Dive into Medusa Ransomware. Retrieved October 15, 2025.
Open source URL -
[4]
Intel471 Medusa Ransomware May 2025
Intel471. (2025, May 14). Threat hunting case study: Medusa ransomware. Retrieved October 15, 2025.
Open source URL -
[5]
mitre-attack G1051Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.