Ransomware Group

Medusa

Also known as: Medusa Ransomware, MedusaLocker

Status: active • First seen 2021-06400+ known victims

Medusa is a ransomware gang that runs a 'name and shame' website where they post countdown timers for victims. If you don't pay before time runs out, they leak your data. They've hit schools, hospitals, and businesses. Their negotiation style is aggressive - they even charge victims extra just to extend the deadline.

Overview

Medusa is an active ransomware-as-a-service operation that has attacked hundreds of organizations worldwide. The group operates a dark web leak site where they publish stolen data and is known for aggressive negotiation tactics including countdown timers and the option for victims to pay to extend deadlines.

Target Industries

Education, Healthcare, Manufacturing, Legal Services, Technology, Government

How They Attack

  • Exploiting vulnerable RDP endpoints
  • Phishing campaigns
  • Brute-force attacks
  • Exploiting unpatched vulnerabilities
  • Using compromised credentials from initial access brokers

Notable Victims

Minneapolis Public Schools (2023), Toyota Financial Services (2023), Multiple US school districts, Various healthcare providers

Is your business exposed?

How to Protect Against Medusa

  1. 1.

    Disable RDP or require VPN for all remote access

  2. 2.

    Enforce account lockout policies against brute-force

  3. 3.

    Implement network-level authentication (NLA) for RDP

  4. 4.

    Deploy MFA on all remote access points

  5. 5.

    Monitor for unusual after-hours RDP connections

MITRE ATT&CK Techniques

T1133, T1110, T1078, T1486, T1490

Related Groups

Lockbit, Play, Blackcat

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices