In the rapidly changing environment of cyber threats, Medusa stands out as a particularly menacing ransomware-as-a-service (RaaS) variant that first emerged in June 2021. Employing a double extortion model, this ransomware not only encrypts its victims’ data but also threatens to publicly release sensitive information if the ransom demands are not met. This dual-layered approach has enabled Medusa to significantly escalate its operations, with its impact felt across critical sectors, including healthcare, education, and manufacturing, where over 300 victims have been reported by early 2025.

The group behind Medusa, known as “Spearwing,” has transitioned from a closed ecosystem to a broader affiliate model, leveraging initial access brokers to extend its reach and effectiveness. With the introduction of a dedicated data leak site in early 2023 and a marked increase in attacks, understanding the tactics, techniques, and implications of Medusa ransomware is crucial for organizations striving to bolster their cybersecurity defenses in the face of such persistent threats.

The following sections will delve deeper into Medusa’s operational model, extortion tactics, technical details, and strategies for mitigation.

Overview and Origins

Medusa is identified as a ransomware-as-a-service (RaaS) variant that was first observed in June 2021. It has become increasingly prolific since then. The group operates a double extortion model, where they not only encrypt victim data but also threaten to publicly release exfiltrated data if a ransom is not paid. Medusa is distinct from the older MedusaLocker ransomware variant and the unrelated Medusa mobile malware. The group is tracked by Symantec as “Spearwing“. In early 2023, Medusa launched the “Medusa Blog,” a dedicated leak site to publish data from non-paying victims.

Activity and Impact

As of February 2025, Medusa developers and affiliates had impacted over 300 victims from a variety of critical infrastructure sectors. These sectors include medical, education, legal, insurance, technology, and manufacturing. There was a 42% surge in Medusa attacks between 2023 and 2024, and this increase continued into early 2025, with almost twice as many attacks observed in January and February 2025 compared to the same period in 2024. The true number of victims is likely higher than the number listed on their data leak site. Ransom demands have ranged from $100,000 to $15 million. The impact of Medusa ransomware can be devastating, leading to operational disruptions, financial losses, and reputational damage.

Operating Model

Medusa operates as a RaaS platform. Initially a closed group, it has since expanded to use an affiliate-based ecosystem. Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to gain initial access. Potential payments between $100 USD and $1 million USD are offered to these affiliates. Important operations such as ransom negotiation are still centrally controlled by the developers. There is some question as to whether Spearwing operates as a “typical” RaaS, given the consistency of tactics used, possibly indicating the group carries out attacks themselves or works with a very limited number of affiliates and provides a detailed playbook.

Extortion Tactics

Medusa employs a double extortion model, encrypting data and threatening to publish exfiltrated data on their .onion data leak site (Medusa Blog) if the ransom is not paid. They operate a public Telegram channel (“information support”) where they also publicise hacks and release stolen data, making it more accessible than some other ransomware groups. Ransom demands are posted on the leak site with direct hyperlinks to Medusa-affiliated cryptocurrency wallets. They also advertise the sale of the data to interested parties before the countdown timer ends. Victims can pay $10,000 USD in cryptocurrency to add a day to the countdown timer. FBI investigations identified a potential triple extortion scheme where a separate Medusa actor contacted a victim after ransom payment, claiming the negotiator stole the initial payment and demanding a second payment.

Technical Details (TTPs)

• Initial Access (TA0001):
  • Phishing campaigns (T1566) are a primary method for stealing victim credentials.
  • Exploitation of unpatched software vulnerabilities (T1190) through Common Vulnerabilities and Exposures (CVEs) such as ScreenConnect vulnerability CVE-2024-1709 and Fortinet EMS SQL injection vulnerability CVE-2023-48788. They have also exploited Microsoft Exchange Server vulnerabilities (ProxyShell, CVE-2021-34473).
  • Recruitment of initial access brokers (IABs) (TA0001).
  • Use of compromised RDP credentials (T1133).
  • Uploading webshells to exploited Microsoft Exchange Servers.
• Execution (TA0002):
  • Use of PowerShell (T1059.001) and the Windows Command Prompt (cmd.exe) (T1059.003) for various tasks.
  • Leveraging legitimate tools like ConnectWise, PDQ Deploy, and PsExec.
  • Use of batch scripts including gaze.exe.
  • Utilising Windows Management Instrumentation (WMI) (T1047) for querying system information and deleting shadow copies.
• Persistence (TA0003):
  • Modifying the registry (T1547.001, HKLM\Software\Microsoft\Windows\CurrentVersion\Run).
  • Creating malicious scheduled tasks (T1053).
  • Creating domain accounts (T1136.002).
• Privilege Escalation (TA0004):
  • Abuse of Elevation Control Mechanism (T1548.002) by bypassing User Account Control (UAC).
  • Use of valid accounts (T1078) obtained through various methods.
  • LSASS memory dumping (T1003.001) using tools like Mimikatz.
• Defense Evasion (TA0005):
  • Use of living off the land (LOTL) techniques (TA0005) to avoid detection, leveraging legitimate tools present in the victim environment.
  • Using Certutil (certutil.exe) for file ingress to avoid detection.
  • Employing various PowerShell detection evasion techniques, including base64 encryption and string obfuscation.
  • Attempting to delete PowerShell command line history (T1070.003).
  • Attempting to use vulnerable or signed drivers (Bring Your Own Vulnerable Driver – BYOVD) (T1562.001) to kill or delete endpoint detection and response (EDR) tools. Malicious drivers like ABYSSWORKER (imitating a CrowdStrike Falcon driver) are used. They also use tools like KillAV and POORTRY.
  • Using reverse tunneling tools like Ligolo and Cloudflared (formerly ArgoTunnel) for command and control and evasion.
  • Disabling Windows Defender and other antivirus services.
  • Rebooting systems into Safe Mode.
  • Deleting previously installed tools (T1070).
• Discovery (TA0007):
  • Using legitimate tools like Advanced IP Scanner and SoftPerfect Network Scanner (NetScan) for initial user, system, and network enumeration.
  • Scanning commonly used ports (21, 22, 23, 80, 115, 443, 1433, 3050, 3128, 3306, 3389).
  • Using PowerShell and cmd.exe for network (T1046) and filesystem enumeration (T1083).
  • Utilizing Windows Management Instrumentation (WMI) (T1047) for querying system information.
  • Querying shared drives (T1135) on the local system.
  • Gathering system network configuration (T1016) and detailed system information (T1082) using commands like ipconfig /all and systeminfo.
  • Attempting to find domain-level group and permission settings (T1069.002).
  • Using driverquery, net share, net use, netstat -a, sc query, schtasks, ver, wmic for reconnaissance.
• Lateral Movement (TA0008):
  • Using a variety of legitimate remote access software (T1219) such as AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop.
  • Utilizing Remote Desktop Protocol (RDP) (T1021.001).
  • Using PsExec (T1569.002) to move laterally and deploy the encryptor.
  • Leveraging SMB/Windows Admin Shares (T1021.002).
• Exfiltration (TA0010):
  • Identifying files for exfiltration.
  • Installing and using Rclone (T1567.002) to facilitate data exfiltration to Medusa C2 servers.
• Encryption (T1486):
  • Deploying the encryptor, gaze.exe, across the network using tools like PsExec, PDQ Deploy, or BigFix (T1072).
  • Terminating services (T1489) related to backups, security, databases, communication, file sharing, and websites.
  • Deleting shadow copies (T1490).
  • Encrypting files with AES-256.
  • Appending the .medusa file extension to encrypted files.
  • Dropping the ransom note, typically named !!!READ_ME_MEDUSA!!!.txt.
  • Manually turning off (T1529) and encrypting virtual machines.
  • Deleting itself after encryption.
• Command and Control (C2):
  • Using reverse tunneling tools like Ligolo and Cloudflared.
  • Communicating using application layer protocols associated with web traffic (T1071.001), including scripts that create reverse or bind shells over port 443 (HTTPS).
  • Leveraging remote access software (T1219) for control.

Indicators of Compromise (IOCs)

• File Paths and Names:
  • csidl_windows\adminarsenal\pdqdeployrunner\service-1\exec\gaze.exe.
  • svhost.exe (in AppData).
  • !!!READ_ME_MEDUSA!!!.txt.
  • openrdp.bat.
  • pu.exe.
• File Extensions:
  • .medusa.
  • .mylock.
  • .s3db (observed in one Darktrace investigation).
• Domains & URLs:
  • medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd[.]onion.
  • go-sw6-02.adventos[.]de.
  • medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd[.]onion.
• Registry Keys:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\MDSLK.
• Email Addresses (used for ransom negotiation):
  • key.medusa.serviceteam@protonmail.com.
  • medusa.support@onionmail.org.
  • mds.svt.breach@protonmail.com.
  • mds.svt.mir2@protonmail.com.
  • MedusaSupport@cock.li.
• Hashes (examples): See Table 1 in source and hashes listed in. Note that some sources redact hashes.
• Credentials (observed in a Darktrace investigation): Svc-ndscans, Svc-NinjaRMM.

Mitigation Strategies

Organisations are advised to:

• Mitigate known vulnerabilities by ensuring operating systems, software, and firmware are patched and up to date.
• Segment networks to limit lateral movement.
• Filter network traffic by blocking access from unknown or untrusted origins to remote services on internal systems.
• Implement the recommendations in the Mitigations section of the CISA advisory.
• Enable MFA for RDP and VPNs.
• Disable PowerShell for non-administrators.
• Regularly back up data offline. Ensure backups are immutable.
• Implement strong security measures, including up-to-date security solutions.
• Use hard-to-crack unique passwords and enable multi-factor authentication.
• Encrypt sensitive data wherever possible.
• Reduce the attack surface by disabling unnecessary functionality.
• Educate and inform staff about cyber threats and methods used by attackers.
• Block known Medusa domains.
• Detect unusual RDP access patterns and SMB enumeration.
• Use behavioral analytics to detect mass file encryption.
• Isolate infected systems immediately.
• Restore from offline backups.
• Report incidents to CISA/FBI.
• Consider using AI-powered endpoint protection and AI-powered email protection.
• Create and regularly test a detailed incident response plan.
• Disable unused remote access tools or secure them with strong passwords and MFA.
• Apply the principle of least privilege.
• Consider disabling command-line and scripting activities and permissions to limit LotL techniques.
• Validate security controls against the MITRE ATT&CK techniques outlined in the advisory.

Relationships and Ecosystem

The Medusa ransomware group appears to operate independently, with its own infrastructure. However, the organised cybercrime group “Frozen Spider” is believed to be a key player in the Medusa ransomware operation, collaborating with other threat actors as part of the larger cybercrime-as-a-service (CCaaS) ecosystem. In June 2023, an early Medusa attack used drivers related to those previously used in a BlackCat (aka Noberus) attack, suggesting a possible sharing of tools or affiliates, although no further evidence strongly links the two groups. Medusa heavily relies on initial access brokers (IABs) to gain access to victim networks.

Branding and Public Presence

Medusa operates a data leak site (Medusa Blog) on the dark web (.onion). They also maintain a public Telegram channel (“information support”) used to publicise victims and leak data. Additionally, they have been linked to a Facebook profile and an X (formerly Twitter) account under the brand ‘OSINT Without Borders,’ run by operators using pseudonyms ‘Robert Vroofdown’ and ‘Robert Enaber,’ along with an associated website. These public-facing properties are likely intended to exert more pressure on victims and spread awareness of the Medusa ransomware threat. The group has a “Medusa Media Team” that has even published videos showing evidence of stolen data on their blog.

Conclusion

Medusa ransomware represents a significant and evolving cyber threat targeting a wide range of critical infrastructure sectors globally. Its use of a double (and potentially triple) extortion model, reliance on affiliates and IABs, and consistent employment of both sophisticated and LOTL techniques make it a challenging adversary. Organisations must adopt a defense-in-depth strategy, continuously update their threat intelligence, and implement robust security controls to mitigate the risk posed by Medusa ransomware.

Salt Typhoon is a Chinese state-sponsored Advanced Persistent Threat (APT) group known for its sophisticated cyber espionage campaigns, primarily targeting the telecommunications, government, and technology sectors. The group’s operations extend beyond intelligence gathering, aiming to exert strategic pressure on adversaries by targeting critical infrastructure and key industries.

Aliases and Affiliations

Salt Typhoon operates under various aliases, including:

• Earth Estries.
• GhostEmperor.
• FamousSparrow.
• UNC2286.
• RedMike.

The group is believed to be affiliated with China’s Ministry of State Security (MSS). Connections to other Chinese APT groups, such as DRBControl, SparklingGoblin, and the Winnti Group, have also been observed, indicating shared methodologies and a coordinated state-backed effort.

Timeline and Key Campaigns

• 2019: Believed to be active since at least 2019, with some suggesting activity as far back as 2017.
• March 2021: Exploited ProxyLogon vulnerabilities in Microsoft Exchange servers.
• Late 2023: Resurfaced with network compromises involving the Demodex rootkit.
• September 2024: Breached US Internet Service Providers (ISPs).
• November 2024: Targeted T-Mobile, exfiltrating customer call records and metadata.
• December 2024 – January 2025: Exploited Cisco IOS XE network devices, targeting telecommunications providers and universities globally.

Target Sectors and Geographic Focus

Salt Typhoon’s targets span various sectors:

• Telecommunications: Wireline and wireless telephone providers, internet service companies.
• Government: Government entities, including those involved in national security and law enforcement.
• Technology: Companies in the information and communication technology sector.
• Hotels: Targeting hotels to monitor the locations of key individuals.
• Various Others: Militaries, solar energy companies, financial institutions, NGOs, international organizations, engineering firms, and law practices.

The group’s geographic focus is broad, encompassing:

• North America: Primarily the United States.
• Southeast Asia: Focused efforts on hotels and telecommunications companies.
• Other Regions: Including Brazil, Burkina Faso, South Africa, Canada, Israel, France, Guatemala, Lithuania, Saudi Arabia, Taiwan, Thailand, and the United Kingdom.

Tactics, Techniques, and Procedures (TTPs)

Salt Typhoon employs a range of sophisticated TTPs to infiltrate and maintain persistence within target environments:

• Initial Access:
  • Exploiting public-facing applications.
  • Spearphishing attachments.
  • Exploitation of known vulnerabilities.
• Execution:
  • Using command and scripting interpreters like PowerShell.
  • Executing malicious files, such as side-loaded DLLs.
• Persistence:
  • Modifying the registry.
  • Creating or modifying system processes.
  • Kernel-mode malware.
• Privilege Escalation:
  • Exploiting vulnerabilities.
  • Scheduled tasks/jobs.
• Defense Evasion:
  • Obfuscated files or information.
  • Masquerading.
  • Indicator removal.
• Lateral Movement:
  • Exploitation of remote services.
  • Leveraging valid credentials.
• Credential Access:
  • Dumping credentials from password stores and web browsers.
  • Extracting credentials from files.
• Collection:
  • Gathering data from local systems.
  • Monitoring clipboard data.
• Command and Control:
  • Using remote access software.
  • Employing internal proxy servers.
• Impact:
  • Data encrypted for impact (primarily for espionage, not extortion).

Toolset and Malware

Salt Typhoon utilises a diverse toolkit comprising legitimate, custom-made, and borrowed tools:

• Custom Backdoors: SparrowDoor and Demodex.
• Rootkits: Demodex, a Windows kernel-mode rootkit.
• Loaders: SparrowDoor loader.
• Remote Access Trojans (RATs): Masol RAT and SnappyBee (aka Deed RAT).
• Exploitation Tools: Mimikat_ssp (a Mimikatz variant), Get-PassHashes.ps1, GetPwd, Token.exe.
• Living off the Land Binaries (LOLBins): Utilising legitimate system tools to perform malicious activities.
• GhostSpider New backdoor malware.
• Derusbi: A DLL-based backdoor.
• Motnug: A shellcode loader.
• NinjaCopy: Tool to bypass security mechanisms and extract sensitive system files.

The group’s malware often incorporates anti-forensic and anti-analysis techniques to evade detection.

Vulnerabilities Exploited

Salt Typhoon has been known to exploit the following vulnerabilities:

• CVE-2023-46805, CVE-2024-21887 (Ivanti Connect Secure VPN).
• CVE-2023-48788 (Fortinet FortiClient EMS).
• CVE-2022-3236 (Sophos Firewall).
• CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 (Microsoft Exchange – ProxyLogon).
• CVE-2023-20198 and CVE-2023-20273 (Cisco IOS XE Software).

Countermeasures and Mitigation Strategies

Defending against Salt Typhoon requires a comprehensive, multi-layered approach:

• Robust Cybersecurity Frameworks: Implementing zero-trust architecture, continuous monitoring, and regular vulnerability assessments.
• Patch Management: Applying security patches promptly, particularly for known vulnerabilities in Cisco devices and other network infrastructure.
• Network Segmentation: Isolating critical systems and implementing strict access control lists (ACLs) to regulate network traffic.
• Threat Intelligence: Sharing threat intelligence and staying informed about Salt Typhoon’s latest TTPs.
• Incident Response: Developing and testing incident response plans to effectively contain and eradicate intrusions.
• Out-of-Band Management: Utilising a physically separate management network to prevent unauthorised access to operational networks.
• Secure by Design Principles: Encourage software manufacturers to embed security throughout the development lifecycle to strengthen the overall security posture of their products.
• Encrypted Communications: Advising individuals concerned about privacy to use encrypted messaging apps and voice communications.

Attribution and Geopolitical Context

Salt Typhoon’s activities align with China’s broader geopolitical objectives, including intelligence collection, monitoring individuals, and potential disruption of adversarial capabilities. The group’s targeting of telecommunications companies enables them to intercept communications, monitor activities, and enhance their intelligence-gathering capabilities.

Conclusion

Salt Typhoon represents a significant and persistent threat to global telecommunications infrastructure and other critical sectors. The group’s advanced TTPs, diverse toolkit, and state-sponsored backing make it a formidable adversary. Organisations must adopt a proactive and multi-layered approach to security, prioritising vulnerability management, network segmentation, and threat intelligence sharing, to effectively defend against this evolving threat. Continuous vigilance and collaboration between public and private sectors are essential to mitigating the risks posed by Salt Typhoon and similar APT groups.