#StopRansomware Features Medusa with Tight IAB Connections Pose Ongoing Threat to Critical Infrastructure

Medusa ransomware, a ransomware-as-a-service (RaaS) operation first identified in June 2021, has emerged as a severe threat, targeting critical infrastructure sectors through a network of affiliates. According to CISA's latest #StopRansomware advisory, "As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing." Operating under a double extortion model, Medusa actors encrypt victim data and threaten to release stolen data unless a ransom is paid. CISA identified that the ransomware gang works closely with initial access brokers (IABs), offering lucrative deals to facilitate access, as "potential payments between $100 USD and $1 million USD are offered to these affiliates with the opportunity to work exclusively for Medusa." In addition to acquiring access through IABs, Medusa affiliates conduct phishing campaigns to harvest credentials and exploit known vulnerabilities, such as CVE-2024-1709, a ScreenConnect vulnerability, and CVE-2023-48788, a SQL injection vulnerability affecting Fortinet's FortiClientEMS, to infiltrate networks.

Once inside a target network, Medusa actors employ native Windows utilities and external discovery tools to evade detection and expand their access. Command interpreters such as cmd.exe, PowerShell, and Windows Management Instrumentation (WMI) are commonly used, with "cmd /c" executed to obscure malicious commands. PowerShell scripts are obfuscated with encoded commands, and historical command line activity is deleted to minimize traces of activity. Network reconnaissance involves scanning critical ports, including 21, 22, 23, 80, 115, 443, 1433, 3050, 3128, 3306, and 3389, using native binaries as well as external tools like Advanced IP Scanner and SoftPerfect Network Scanner. Medusa actors also use signed drivers to disable endpoint detection and response (EDR) tools, further complicating detection efforts.

For command and control (C2) operations, Medusa affiliates rely on tunneling tools such as Ligolo and Cloudflared to establish covert connections between compromised hosts and their servers. Lateral movement is facilitated through the deployment of remote access tools like AnyDesk, Atera, ConnectWise, and Splashtop, in addition to exploiting Remote Desktop Protocol (RDP). Batch scripts executed via PsExec enable firewall rule modifications, WMI configuration, and registry changes to enable RDP access. For example, "netsh advfirewall firewall add rule name='rdp' dir=in protocol=tcp localport=3389 action=allow" ensures continued access to the compromised machine. Credential theft is performed using Mimikatz to extract Local Security Authority Subsystem Service (LSASS) memory, providing attackers with privileged credentials for further escalation and movement within the network.

Medusa actors use Rclone to exfiltrate stolen data before deploying encryption payloads across compromised systems. Remote management tools are leveraged to distribute ransomware binaries, while security defenses, including Windows Defender, are disabled to prevent detection. An example ransomware payload, "gaze.exe," encrypts files using AES-256 encryption and appends a ".medusa" extension. It then terminates critical processes related to backup, security, and database management, deletes shadow copies, and drops a ransom note instructing victims to negotiate payment through a Tor-based live chat or Tox messenger. If victims fail to respond within 48 hours, Medusa publishes their data on a dedicated leak site with a countdown timer. Ransom demands are linked directly to cryptocurrency wallets, and victims can extend the data exposure deadline by paying $10,000 per additional day. FBI investigations have documented instances where victims who paid were subsequently targeted for additional payments under claims of internal fraud, indicating potential triple extortion tactics.