S1244: Medusa Ransomware
Medusa Ransomware has been utilized in attacks since at least 2021. Medusa Ransomware has been known to be utilized in conjunction with living off the land techniques and remote management software. Medusa Ransomware has been used in campaigns associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Medusa Ransomware software was initially a closed ransomware variant which later evolved to a Ransomware as a Service (RaaS). Medusa Ransomware has impacted victims from a diverse range of sectors within a multitude of countries, and it is assessed Medusa Ransomware is used in an opportunistic manner.[1][2][3][4]
Analyst context for executives and security teams
Medusa Ransomware matters because the ATT&CK entry ties it to opportunistic, double-extortion ransomware activity: data may be taken before encryption, increasing both outage and disclosure risk. For leaders, this is not only a malware question; it tests whether the organization can detect suspicious administration-like activity, protect recovery paths, preserve evidence, and make fast incident decisions under pressure.
Executive priority
Prioritize this as a resilience and readiness scenario. The official description notes use with living-off-the-land techniques and remote management software, which means normal administrative tooling may be part of the event narrative. Executives should ask whether critical services, backups, network shares, identity-admin activity, and security tools are monitored well enough to support containment, recovery, legal/compliance decisions, and extortion response. Because ATT&CK lists no object-level platforms or detection text, local exposure and control coverage must be validated against the organization’s actual estate.
Technical view
SOC, detection, and IR teams should validate coverage across the related behaviors: command execution through PowerShell and Windows Command Shell; discovery of processes, services, system information, time, files, directories, network shares, security software, and local storage; service creation or modification; service stopping; file deletion; obfuscation/deobfuscation; hidden windows; inter-process communication; selective exclusion; defense impairment; recovery inhibition; and data encryption for impact. Treat the relationship to Medusa Group as context only, not attribution for a local incident. The strongest defensive value is correlating administrative-looking discovery and service activity with backup/recovery tampering, security-tool degradation, abnormal file activity, and encryption impact indicators.
Likely telemetry
- Endpoint process creation and command-line logging for PowerShell, cmd, service utilities, discovery commands, and scripting activity
- Windows service creation/modification and service stop events where applicable
- File-system telemetry for high-volume file modification, deletion, encryption-like activity, and selective exclusion patterns
- Network share enumeration and access logs, especially around shared drives and sensitive repositories
- Security tool health, tamper, update, process, and service status telemetry
Detection direction
- Do not rely on a single malware signature; ATT&CK provides no official detection text for this object and notes living-off-the-land behavior.
- Build correlations around sequences: discovery activity followed by service stopping, security software discovery or impairment, recovery inhibition, file deletion, and broad file modification/encryption behavior.
- Tune carefully for administrator false positives, especially service management, PowerShell, command shell, network share enumeration, and remote management activity.
- Validate that logging survives defense impairment attempts; alerts should include missing, stopped, or degraded security sensors and logging agents.
- Use the related techniques to structure detection engineering tests, but confirm applicability locally because the malware object itself does not specify platforms.
Mitigation priorities
- Start with recovery resilience: maintain protected, tested backups and validate that recovery mechanisms cannot be easily disabled or deleted by compromised administrative contexts.
- Harden and monitor administrative execution paths, including command shells, PowerShell, service control, and remote management software.
- Restrict and review access to network shares, sensitive file stores, and administrative credentials that can amplify ransomware impact.
- Protect security tooling from tampering and monitor tool health as a first-class detection signal.
- Segment critical services and prioritize controls around systems whose encryption or service disruption would affect business continuity or cyber-physical operations.
Analyst notes and limits
The relationship set provides useful defensive themes: discovery, execution, stealth, persistence/privilege escalation, defense impairment, recovery inhibition, and encryption impact. The group relationship to Medusa Group should inform threat intelligence enrichment, but incident attribution requires local evidence. The official sources include CISA and multiple vendor reports, but this take uses only the supplied ATT&CK fields and relationship context.
ATT&CK does not provide object-level platforms, tactics, aliases, labels, or official detection guidance for S1244 in the supplied fields. Some related techniques list platforms, but those should not be treated as confirmed Medusa Ransomware platform coverage without local evidence. This summary does not establish current activity, victim exposure, exploit path, or guaranteed detection coverage.
Medusa Ransomware
Medusa Ransomware has been utilized in attacks since at least 2021. Medusa Ransomware has been known to be utilized in conjunction with living off the land techniques and remote management software. Medusa Ransomware has been used in campaigns associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Medusa Ransomware software was initially a closed ransomware variant which later evolved to a Ransomware as a Service (RaaS). Medusa Ransomware has impacted victims from a diverse range of sectors within a multitude of countries, and it is assessed Medusa Ransomware is used in an opportunistic manner.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1135 | Network Share Discovery | Medusa Ransomware has identified networked drives.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationBroadcom Medusa Ransomware Medusa Group March 2025CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Medusa Ransomware has the capability to detect security solutions for termination or deletion within the victim device using hard-coded lists of strings containing security product executables.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Medusa Ransomware has utilized XOR encrypted strings.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1679 | Selective Exclusion | Medusa Ransomware has avoided specified files, file extensions and folders to ensure successful execution of the payload and continued operations of the impacted device.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationBroadcom Medusa Ransomware Medusa Group March 2025CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1007 | System Service Discovery | Medusa Ransomware has leveraged an encoded list of services that it designates for termination.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationBroadcom Medusa Ransomware Medusa Group March 2025CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1490 | Inhibit System Recovery | Medusa Ransomware has deleted recovery files such as shadow copies using `vssadmin.exe`.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationCISA Medusa Group Medusa Ransomware March 2025CitationBroadcom Medusa Ransomware Medusa Group March 2025CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Medusa Ransomware has created a new PowerShell process using the `CreateProcessA` API.CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1057 | Process Discovery | Medusa Ransomware has utilized an encoded list of the processes that it detects and terminates.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationBroadcom Medusa Ransomware Medusa Group March 2025CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Medusa Ransomware has the ability to delete itself after execution.CitationBroadcom Medusa Ransomware Medusa Group March 2025 Medusa Ransomware also has the ability to delete itself after execution through the command `cmd /c ping localhost -n 3 > nul & del`.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1680 | Local Storage Discovery | Medusa Ransomware has enumerated logical drives on infected hosts.CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1489 | Service Stop | Medusa Ransomware has the capability to terminate services related to backups, security, databases, communication, filesharing and websites.CitationCISA Medusa Group Medusa Ransomware March 2025CitationBroadcom Medusa Ransomware Medusa Group March 2025CitationSecurity Scorecard Medusa Ransomware January 2024 Medusa Ransomware has also utilized the `taskkill /F /IM |
| Enterprise | T1106 | Native API | Medusa Ransomware has leveraged Windows Native API functions to execute payloads.CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Medusa Ransomware has decoded XOR encrypted strings prior to execution in memory.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Medusa Ransomware has utilized the `ShowWindow` function to hide current window.CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1559 | Inter-Process Communication | Medusa Ransomware has leveraged the `CreatePipe` API to enable inter-process communication.CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1083 | File and Directory Discovery | Medusa Ransomware has searched for files within the victim environment for encryption and exfiltration.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationCISA Medusa Group Medusa Ransomware March 2025CitationSecurity Scorecard Medusa Ransomware January 2024 Medusa Ransomware has also identified files associated with remote management services.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationCISA Medusa Group Medusa Ransomware March 2025 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Medusa Ransomware has used `cmd.exe` to execute command on an infected host.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1082 | System Information Discovery | Medusa Ransomware has collected data from the SMBIOS firmware table using `GetSystemFirmwareTable`.CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Medusa Ransomware has launched PowerShell scripts for execution and defense evasion.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1124 | System Time Discovery | Medusa Ransomware has discovered device uptime through `GetTickCount()`.CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1685 | Disable or Modify Tools | Medusa Ransomware has terminated antivirus services utilizing the gaze.exe executable.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024 Medusa Ransomware has also terminated antivirus services utilizing PowerShell scripts.CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationSecurity Scorecard Medusa Ransomware January 2024 |
| Enterprise | T1486 | Data Encrypted for Impact | Medusa Ransomware has encrypted files using AES-256 encryption, which then appends the file extension “.medusa” to encrypted files and leaves a ransomware note named “!READ_ME_MEDUSA!!!.txt.”CitationPalo Alto Unit 42 Medusa Group Medusa Ransomware January 2024CitationCISA Medusa Group Medusa Ransomware March 2025CitationBroadcom Medusa Ransomware Medusa Group March 2025CitationSecurity Scorecard Medusa Ransomware January 2024 |
Groups, software, and campaigns
G1051: Medusa Group
Medusa Group has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” [1] [2] Medusa Group employs living-off-the-land techniques, frequently leveraging publicly available tools and common remote management software to conduct operations. The group engages in double extortion tactics, exfiltrating data prior to encryption and threatening to publish stolen information if ransom demands are not met. [3] For initial access, Medusa Group has exploited publicly known vulnerabilities, conducted phishing campaigns, and used credentials or access purchased from Initial Access Brokers (IABs). The group is opportunistic and has targeted a wide range of sectors globally. [4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f7d8568f558e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA Medusa Group Medusa Ransomware March 2025
Cybersecurity and Infrastructure Security Agency. (2025, March 12). AA25-071A #StopRansomware: Medusa Ransomware. Retrieved October 15, 2025.
Open source URL -
[2]
Security Scorecard Medusa Ransomware January 2024
Vlad Pasca. (2024, January 1). A Deep Dive into Medusa Ransomware. Retrieved October 15, 2025.
Open source URL -
[3]
Palo Alto Unit 42 Medusa Group Medusa Ransomware January 2024
Anthony Galiette, Doel Santos. (2024, January 11). Medusa Ransomware Turning Your Files into Stone. Retrieved October 15, 2025.
Open source URL -
[4]
Broadcom Medusa Ransomware Medusa Group March 2025
Threat Hunter Team Symantec and Carbon Black. (2025, March 6). Medusa Ransomware Activity Continues to Increase. Retrieved October 15, 2025.
Open source URL -
[5]
mitre-attack S1244Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.