>samit_hota
Back to adversary profiles
G1051HighActive

Medusa Group: An Aggressive RaaS with Evolving Extortion Tactics

Samit Hota·
Suspected Origin
Russia or allied states (suspected)
Motivation
Financial Gain
Aliases
None documented
Target Sectors
Healthcare, Education, Manufacturing, Technology, Government, Legal, Financial, Critical Infrastructure, Small and Medium-sized Enterprises
Associated Malware
Medusa Ransomware, PowerShell, Rclone, Mimikatz, PsExec, AnyDesk, SimpleHelp, PDQ Deploy, AbyssWorker
#threat-actor#g1051

Overview

The Medusa Group (G1051), also tracked as “Spearwing” by Symantec and sometimes referred to as “Medusa Actors,” has been a significant player in the ransomware landscape since at least 2021. Initially operating as a closed ransomware entity, the group rapidly evolved into a sophisticated Ransomware-as-a-Service (RaaS) model. While affiliates are responsible for deploying the ransomware, the core Medusa developers reportedly maintain central control over crucial operations, particularly ransom negotiations. This group is distinct from the older “MedusaLocker” variant and unrelated mobile malware, using a unique and proprietary ransomware strain.

Medusa Group’s primary motivation is unequivocally financial gain, employing a multi-layered extortion strategy to maximize pressure on victims. Beyond encrypting data, they engage in double extortion by exfiltrating sensitive information and threatening its public release if demands are not met. In some instances, they have escalated to triple extortion, demanding additional payments even after the initial ransom to “guarantee” data deletion or claiming that a previous negotiator stole the payment.

The group is highly opportunistic, targeting a wide array of sectors globally, with a notable concentration of victims in the United States, Canada, and the United Kingdom. Critical infrastructure sectors, including healthcare, education, manufacturing, technology, legal, government, and financial services, are frequently impacted. Law enforcement agencies, including the FBI, CISA, and MS-ISAC, have issued joint advisories warning organizations about Medusa’s escalating threat. While direct attribution is often challenging, intelligence suggests the group operates out of Russia or allied states, based on its avoidance of targeting organizations within Russia and the Commonwealth of Independent States, and its activity on Russian-language dark web forums. There is also intelligence linking Medusa to “Frozen Spider,” an e-crime group active in broader cybercrime-as-a-service networks. More recently, reporting from early 2026 indicates that the North Korean state-sponsored Lazarus Group has been observed deploying Medusa ransomware in targeted extortion campaigns, particularly against the U.S. healthcare sector, suggesting Medusa ransomware is also leveraged by advanced persistent threat (APT) groups as an affiliate.

Tactics & Techniques

Medusa Group’s operational methodology aligns closely with the MITRE ATT&CK framework, leveraging a mix of custom malware and living-off-the-land (LotL) techniques to achieve its objectives.

For Initial Access, Medusa actors frequently exploit publicly known vulnerabilities in internet-facing applications, such as FortiClient Enterprise Management Servers (CVE-2023-48788), Citrix ADC cloud servers (CVE-2023-4966), ConnectWise ScreenConnect (CVE-2024-1709 authentication bypass), and Microsoft Exchange Servers. Phishing campaigns remain a primary method for credential harvesting and delivering ransomware. The group also extensively utilizes Initial Access Brokers (IABs), purchasing compromised credentials or network access from cybercrime marketplaces to accelerate their attacks. Weak Remote Desktop Protocol (RDP) credentials are another common entry point.

Once inside, Medusa actors prioritize Defense Evasion and establishing persistence. They use PowerShell extensively, often with obfuscated and base64-encoded commands, and delete PowerShell command history to cover their tracks. A sophisticated tactic involves “Bring Your Own Vulnerable Driver” (BYOVD) attacks, deploying signed yet vulnerable drivers (like AbyssWorker, KillAVDriver, or POORTRY drivers) to disable Endpoint Detection and Response (EDR) and antivirus software. They also check for virtual analysis environments to avoid detection.

Discovery and Lateral Movement involve leveraging legitimate remote management software already present in victim environments or deploying their own. Observed tools include AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, Splashtop, and Mesh Agent. They utilize RDP, Server Message Block (SMB), and PsExec for lateral movement and execution, often deploying batch scripts to open RDP cluster-wide and enable remote WMI connections. Network scanning tools like Advanced IP Scanner and SoftPerfect Network Scanner are used for internal reconnaissance to map network topography and identify valuable assets and high-privilege accounts. Credential dumping techniques, including the use of Mimikatz or OS credential dumping, are employed to harvest additional credentials for privilege escalation.

For Data Exfiltration, the group uses tools like Rclone, RoboCopy, Navicat, Ligolo, and Cloudflared to transfer stolen data to cloud storage or threat actor-controlled infrastructure. Tor nodes are often used for secure command and control (C2) communications and data transfer. The Impact is driven by their double and triple extortion schemes. After encrypting files using AES-256 and RSA-2048 algorithms, appending a “.MEDUSA” extension, they drop ransom notes (e.g., !!!READ_ME_MEDUSA!!!.txt) and delete shadow copies and backups to hinder recovery. The stolen data is then published on their dedicated “Medusa Blog” data leak site, hosted on the Tor network, featuring countdown timers for data publication and options to purchase time extensions or data deletion. The group also uses public Telegram and X (formerly Twitter) channels to amplify pressure and publicize their activities. Ransom demands typically range from $100,000 to $15 million, with daily penalties for extended deadlines.

Notable Campaigns

Medusa Group has been linked to numerous high-profile incidents since its emergence. Key victims include the Minneapolis Public School District and Toyota Financial Services. In January 2025, they targeted a U.S. healthcare organization, compromising several hundred machines. Throughout 2025, several international entities were hit, such as Aldagi in Georgia, Florarte in Brazil, and Expert E-commerce GmbH in Germany. One of the largest healthcare breaches of 2025 involved SimonMed Imaging, impacting an estimated 1.27 million patients.

Entering 2026, their activity remained high, with confirmed attacks on organizations like the University of Mississippi Medical Center (UMMC) in March 2026, for which they publicly demanded an $800,000 ransom. Also in March 2026, they claimed responsibility for a cyberattack against the U.S.-based financial services organization International Planning Group. A significant development since late 2025 is the observation of the Lazarus Group, a North Korean state-sponsored APT, deploying Medusa ransomware in attacks against the U.S. healthcare sector and Middle East entities. This indicates that Medusa ransomware has become a tool adopted by more advanced state-aligned threat actors for financially motivated or disruptive campaigns.

Associated Malware & Tools

The Medusa Group relies on its custom-developed Medusa Ransomware, which employs a robust AES-256 and RSA-2048 hybrid encryption scheme. This ransomware is distinct from the older MedusaLocker.

Beyond their core ransomware, Medusa actors frequently leverage a suite of legitimate and publicly available tools, embodying their “living-off-the-land” philosophy:

  • System Utilities: PowerShell (for execution, defense evasion, data transfer), PsExec (for lateral movement and execution with SYSTEM privileges), Mimikatz (for credential dumping), certutil (for downloading additional tools).
  • Data Exfiltration: Rclone, RoboCopy, Navicat (for data theft). Tunneling tools like Ligolo and Cloudflared are also used for secure connections and data transfer.
  • Remote Management Software: AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, Splashtop, and Mesh Agent are commonly abused for remote access, persistence, and lateral movement.
  • Network Scanners: Advanced IP Scanner and SoftPerfect Network Scanner are used for network discovery and enumeration.
  • Defense Evasion Drivers: Custom-signed vulnerable drivers such as AbyssWorker, KillAVDriver, and POORTRY are deployed to disable security software.

When the Lazarus Group utilizes Medusa ransomware, their campaigns may also incorporate their specific toolkit, including custom backdoors like Comebacker, remote access Trojans like Blindingcan, and info-stealers such as ChromeStealer and Infohook, alongside utilities like Curl and RP_Proxy.

Current Status

As of July 2026, the Medusa Group remains a highly active and aggressive threat actor, showing no signs of slowing down. The group’s operational tempo has been consistently high, with a significant surge in attacks observed between 2023 and 2024 (a 42% increase) and further doubling in early 2025 (over 40 incidents in the first two months). By March 2026, Medusa had claimed over 500 confirmed victims globally, demonstrating a relentless commitment to large-scale extortion. Recent activity in early 2026 indicates sustained aggression, with multiple rapid-fire attacks recorded within the first quarter.

The ongoing alerts and advisories from cybersecurity agencies underscore the persistent danger posed by Medusa. The FBI, CISA, and MS-ISAC jointly warned organizations in March 2025 about Medusa’s escalating threat, highlighting their targeting of critical infrastructure sectors and their double and potentially triple extortion tactics.

A critical development in late 2025 and early 2026 is the documented use of Medusa ransomware by the North Korean state-sponsored Lazarus Group. This suggests that Medusa, beyond being a highly effective RaaS, is also being adopted by sophisticated APTs, adding another layer of complexity to its threat profile, as these actors blend espionage objectives with financially motivated ransomware deployment. Unfortunately, there is no consistent publicly available decryption tool for Medusa-encrypted files, making recovery challenging without paying the ransom. The group’s adaptability, aggressive negotiation tactics, and continuous activity solidify its position as one of the most dangerous ransomware threats in the current landscape.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call