S1244 Medusa Ransomware
Medusa Ransomware has been utilized in attacks since at least 2021. Medusa Ransomware has been known to be utilized in conjunction with living off the land techniques and remote management software. Medusa Ransomware has been used in campaigns associated with “double extortion” ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Medusa Ransomware software was initially a closed ransomware variant which later evolved to a Ransomware as a Service (RaaS). Medusa Ransomware has impacted victims from a diverse range of sectors within a multitude of countries, and it is assessed Medusa Ransomware is used in an opportunistic manner.2413
| Item | Value |
|---|---|
| ID | S1244 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 17 October 2025 |
| Last Modified | 21 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Medusa Ransomware has launched PowerShell scripts for execution and defense evasion.14 |
| enterprise | T1059.003 | Windows Command Shell | Medusa Ransomware has used cmd.exe to execute command on an infected host.14 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Medusa Ransomware has created a new PowerShell process using the CreateProcessA API.4 |
| enterprise | T1486 | Data Encrypted for Impact | Medusa Ransomware has encrypted files using AES-256 encryption, which then appends the file extension “.medusa” to encrypted files and leaves a ransomware note named “!READ_ME_MEDUSA!!!.txt.”1234 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Medusa Ransomware has decoded XOR encrypted strings prior to execution in memory.14 |
| enterprise | T1083 | File and Directory Discovery | Medusa Ransomware has searched for files within the victim environment for encryption and exfiltration.124 Medusa Ransomware has also identified files associated with remote management services.12 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | Medusa Ransomware has utilized the ShowWindow function to hide current window.4 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Medusa Ransomware has terminated antivirus services utilizing the gaze.exe executable.1 Medusa Ransomware has also terminated antivirus services utilizing PowerShell scripts.14 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Medusa Ransomware has the ability to delete itself after execution.3 Medusa Ransomware also has the ability to delete itself after execution through the command cmd /c ping localhost -n 3 > nul & del.14 |
| enterprise | T1490 | Inhibit System Recovery | Medusa Ransomware has deleted recovery files such as shadow copies using vssadmin.exe.1234 |
| enterprise | T1559 | Inter-Process Communication | Medusa Ransomware has leveraged the CreatePipe API to enable inter-process communication.4 |
| enterprise | T1680 | Local Storage Discovery | Medusa Ransomware has enumerated logical drives on infected hosts.4 |
| enterprise | T1106 | Native API | Medusa Ransomware has leveraged Windows Native API functions to execute payloads.4 |
| enterprise | T1135 | Network Share Discovery | Medusa Ransomware has identified networked drives.134 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.013 | Encrypted/Encoded File | Medusa Ransomware has utilized XOR encrypted strings.14 |
| enterprise | T1057 | Process Discovery | Medusa Ransomware has utilized an encoded list of the processes that it detects and terminates.134 |
| enterprise | T1679 | Selective Exclusion | Medusa Ransomware has avoided specified files, file extensions and folders to ensure successful execution of the payload and continued operations of the impacted device.134 |
| enterprise | T1489 | Service Stop | Medusa Ransomware has the capability to terminate services related to backups, security, databases, communication, filesharing and websites.234 Medusa Ransomware has also utilized the taskkill /F /IM <process> /T command to stop targeted processes and net stop <process> command to stop designated services.34 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Medusa Ransomware has the capability to detect security solutions for termination or deletion within the victim device using hard-coded lists of strings containing security product executables.1 |
| enterprise | T1082 | System Information Discovery | Medusa Ransomware has collected data from the SMBIOS firmware table using GetSystemFirmwareTable.4 |
| enterprise | T1007 | System Service Discovery | Medusa Ransomware has leveraged an encoded list of services that it designates for termination.134 |
| enterprise | T1124 | System Time Discovery | Medusa Ransomware has discovered device uptime through GetTickCount().4 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1051 | Medusa Group | Medusa Group has used Medusa Ransomware for ransomware activities.1234 |
References
-
Anthony Galiette, Doel Santos. (2024, January 11). Medusa Ransomware Turning Your Files into Stone. Retrieved October 15, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Cybersecurity and Infrastructure Security Agency. (2025, March 12). AA25-071A #StopRansomware: Medusa Ransomware. Retrieved October 15, 2025. ↩↩↩↩↩↩↩
-
Threat Hunter Team Symantec and Carbon Black. (2025, March 6). Medusa Ransomware Activity Continues to Increase. Retrieved October 15, 2025. ↩↩↩↩↩↩↩↩↩↩↩
-
Vlad Pasca. (2024, January 1). A Deep Dive into Medusa Ransomware. Retrieved October 15, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩