The Medusa ransomware group, first identified in mid‑2021 as a ransomware‑as‑a‑service (RaaS) actor, has remained an active threat through 2025, adapting its operational model and targeting a broad range of victims across sectors. According to joint advisories from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi‑State Information Sharing and Analysis Center (MS‑ISAC), Medusa actors have compromised hundreds of organizations, employing a combination of credential theft, exploitation of unpatched vulnerabilities, and network enumeration to achieve initial access and lateral movement.

In addition to encrypting data, Medusa actors deploy double extortion techniques—threatening to publish stolen data unless ransom demands are met, and in some cases engaging in triple extortion behaviors where additional demands are made after an initial payment.

This article examines the organizational structure of Medusa’s operations, common attack vectors, extortion tactics, recent victimology from November and December 2025, and implications for defenders and incident responders.

💡
Security Land does not link to ransomware group infrastructure, promote these actors, or provide access to illicit content.

Ransomware Group Organization and Affiliate Models

Medusa’s operational model typifies modern RaaS structures where core developers provide the ransomware payloads and infrastructure, while a network of affiliates—often recruited through cybercrime forums or via initial access brokers (IABs)—execute attacks against victims.

The affiliate model expands attack volume while decentralizing effort; Medusa’s developers retain central control over ransom negotiations and data leak infrastructure (e.g., dark web leak sites and messaging channels), effectively monetizing both encryption and stolen data sales. Affiliates are incentivized through revenue sharing and referrals, a typical arrangement within RaaS ecosystems.

Medusa actors also engage IABs to obtain validated network access, often acquiring stolen credentials or footholds established through phishing, brute force, or exploitation of remote access vulnerabilities. This division of labor increases operational efficiency and complicates attribution.

Common Attack Vectors and Victim Selection

Medusa’s initial access methods include:

  • Phishing campaigns and credential compromise: Social engineering to harvest valid user credentials, a prevalent vector observed in many ransomware intrusions.
  • Exploitation of unpatched vulnerabilities: Actors target external‑facing services and known security flaws to gain execution privileges.
  • Use of legitimate tools for network reconnaissance and lateral movement: Once inside a network, actors leverage administrative utilities such as PowerShell, remote access software, and remote desktop services to expand access and exfiltrate data.

Victim selection reflects a focus on organizations with substantial digital assets and sensitive data, including healthcare, education, legal, manufacturing, and service providers. The operational calculus for Medusa (and similar RaaS groups) prioritizes entities likely to meet ransom demands due to regulatory, reputational, or operational pressures.

Extortion Tactics: Encryption and Data Theft

Medusa Ransomware Victim
Medusa Ransomware Victim from December 2025

Medusa’s extortion framework centers on three components:

  1. Encryption of data: Victims receive a ransom note instructing contact via encrypted messaging or Tor‑based portals.
  2. Public disclosure threats: Data exfiltrated prior to encryption is threatened with publication on dedicated leak sites if payment conditions are unmet.
  3. Data sale and secondary monetization: Beyond ransom payments, Medusa advertises exfiltrated data for sale to third parties, diversifying revenue streams and increasing leverage over victims.

Medusa’s negotiations surfaced structured options presented to victims after initial ransomware deployment:

  • Option 1: Data Suppression - $10,000 USD
    • Purpose: Prevent publication of stolen data
    • Condition: Data will not be publicly released
    • Time limit: 48-hour initial contact window
  • Option 2: Complete Data Deletion - $200,000 USD
    • Purpose: Permanent deletion of all exfiltrated data
    • Guarantee: Data removed from all Medusa-controlled systems
    • Verification: No method to confirm actual deletion
  • Option 3: Immediate Data Sale - $200,000 USD
    • Purpose: Selling data to interested third-party buyers
    • Risk: Data becomes available to other threat actors
    • Market: Advertised on Tor-based leak sites and dark web marketplaces

This tiered approach signals a bifurcation of extortion pressure and direct monetization to prospective buyers of stolen information.

Medusa’s activities through November and December 2025 illustrate persistence and operational scaling. Published leaks have included personally identifiable information (PII), passport scans, confidentiality agreements, financial records (e.g., balance sheets, payments, contracts), and client or buyer lists. These categories of data heighten confidentiality concerns and complicate recovery and regulatory reporting obligations.

Medusa Ransomware Victims
Medusa Ransomware Victims from November and December 2025

In November 2025, we identified at least 11 victims, with data from 10 publicly disclosed by the group:

  1. A U.S. skilled nursing and rehabilitation services provider.
  2. A subsidiary of a major mining company in Indonesia.
  3. A university in São Paulo, Brazil, with extensive PII exposure.
  4. A litigation support and legal services firm in Los Angeles, California.
  5. A global aluminium formwork solutions provider (Malaysia).
  6. A high‑end interiors firm (UAE).
  7. A convenience store and gas station operator (Utah, USA).
  8. A hospitality collective (New South Wales, Australia).
  9. A family‑owned pizza restaurant chain (Cincinnati, Ohio, USA).
  10. A petroleum products company engaged in environmental conservation (Dominican Republic).

In December 2025, Medusa’s victimology continued with at least three new entities:

  • A global producer of micronized polytetrafluoroethylene products based in New Jersey, USA.
  • A palm oil manufacturer headquartered in South Sumatra, Indonesia.
  • A Canadian provider of personal and workplace support services offering counselling, psychotherapy, and educational programs.

This distribution underscores Medusa’s targeting diversity across geographies and industry verticals and confirms that smaller enterprises remain within scope alongside larger institutional targets.

Conclusion

The Medusa ransomware group’s continued activity through late 2025 demonstrates the enduring risk posed by RaaS operations leveraging affiliate ecosystems, credential compromise, and multi‑vector extortion techniques. Recent incidents across diverse industries highlight that both large and small organizations are susceptible to compromise. Defensive strategies rooted in fundamental cybersecurity hygiene—patching, segmentation, identity protection, and incident readiness—remain central to reducing exposure and mitigating impact. Proactive engagement, paired with robust response frameworks, enables organizations to withstand and recover from ransomware incidents that mirror Medusa’s evolving tactics.

Key Takeaways:

  1. Multi-Extortion Model: Medusa's use of double and triple extortion creates compounding pressures on victims, with ransom demands ranging from $10,000 to $200,000 for data-related options.
  2. Sophisticated TTPs: The group's use of living-off-the-land tools, vulnerable driver exploitation (BYOVD), and legitimate administrative utilities enables evasion of traditional security controls.
  3. Affiliate Model Expansion: Medusa's RaaS operation has grown significantly, with affiliate payments up to $1 million attracting skilled cybercriminals to the ecosystem.
  4. Defense-in-Depth Required: Effective mitigation requires layered security controls spanning network segmentation, endpoint protection, access management, and comprehensive backup strategies.
  5. Incident Response Preparedness: Organizations must maintain tested incident response plans, forensic capabilities, and clear communication protocols to respond effectively to Medusa attacks.

As ransomware operations continue to evolve, cybersecurity practitioners must remain vigilant, implementing proactive defense strategies while maintaining robust incident response capabilities. The Medusa threat underscores the critical importance of layered security controls, regular security assessments, and organizational preparedness in an increasingly hostile cyber landscape.

References

  1. FBI, CISA, MS-ISAC Joint Advisory (March 12, 2025): "Medusa Ransomware" - AA25-071A
  2. Symantec Threat Hunter Team (2025): "Medusa Ransomware Analysis Report"
  3. Check Point Research (2025): "Medusa Ransomware Group Analysis"
  4. IntelSense Report (2025): "Medusa Ransomware Group 2025"

Share this post

Author

SL
SL

Comments