Known for the sophistication of its operations, the ransomware gang Medusa has been responsible for known attacks on over 300 organizations in the critical infrastructure sectors, including medical, education, legal, insurance, manufacturing, and technology operations. Once hit by a Medusa ransomware attack, victims are told to pay a ransom to decrypt their files to prevent them from being released onto the Internet.
See: https://redskyalliance.org/redshorts2023/medusa-ransomware-gang-picks-up-steam-as-it-targets-companies-wor
This is called a double-extortion attack and means that even if the victim organization has backups and can recover the files that have been encrypted, they still face the threat of having their sensitive data leaked if they refuse to pay the ransom.
A joint cyber security advisory has been published about this attack recently, which comes from the Cybersecurity and Infrastructure Security Agency (CISA), warning that.
Medusa has been operating since 2021. “Medusa originally operated as a closed ransomware variant, meaning the same group of cyber threat actors controlled all development and associated operations... “While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers,” the advisory says. “Both Medusa developers and affiliates, referred to as ‘Medusa actors’ in this advisory, employ a double extortion model, where they encrypt victim data and threaten to release exfiltrated data if a ransom is not paid publicly.”
According to the advisory, Medusa developers typically employ initial access brokers on cybercriminal forums to obtain entry into victims’ environments. During the attacks, Medusa actors use a wide range of legitimate software to move laterally, including remote access tools like AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop. Additionally, the threat actors frequently use Advanced IP Scanner and SoftPerfect Network Scanner to gather information on targeted users, systems, and networks.
CISA reports that Medusa conceals itself in disguise as a legitimate tool. CISA typically uses Living-off-the-Land (LotL) techniques to evade detection and several PowerShell techniques that feature “increasing complexity.” A key component of some attacks is using vulnerable drivers in what is known as “bring your vulnerable driver” or BYOVD attacks. The advisory said Medusa actors use BYOVD to kill and delete endpoint detection and response products. Medusa activity increased 42% year-over-year in 2024 and continued rising in January and February 2025.
The researchers say the hackers extensively use legitimate drivers and custom-developed malicious tools like AVKill and POORTRY to bypass or disable security software. “BYOVD is a technique that has been increasingly used in ransomware attack chains over the last two years,” the blog post said. “In almost all Medusa attacks, KillAV and associated vulnerable drivers are used in this part of the attack chain to download drivers and disable security software.”
Suppose a victim refuses to pay the demanded ransom. In that case, their stolen data may be leaked on Medusa's Dark Web Forum and sold to other cybercriminals, risking reputational damage, legal consequences, penalties for non-compliance, and consequent financial loss. CISA urges organizations to report Medusa ransomware incidents to law enforcement and refrain from paying ransoms, as doing so risks encouraging further attacks.
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
© 2025 Red Sky Alliance Corporation. All rights reserved.
Comments