FOCUS MODE
EXTRACT IOC
Threat Research

Medusa Ransomware Hits Record Levels, FBI and CISA Provide Key Security Insights

Cyble
Medusa Ransomware Hits Record Levels, FBI and CISA Provide Key Security Insights
The FBI and CISA have issued an advisory regarding the Medusa ransomware group, which has been increasingly active in 2025. The group has moved well beyond its previous year’s attack levels, particularly focusing on critical infrastructure sectors. This advisory details the group’s tactics, available indicators of compromise, and highlights the potential risks involved. Affected: critical infrastructure sectors such as medical, education, legal, insurance, technology, manufacturing

Keypoints :

  • FBI and CISA issued a warning about Medusa ransomware group due to increased activity.
  • 60 Medusa ransomware attacks recorded in the first 72 days of 2025.
  • Medusa has attacked critical infrastructure sectors, accounting for over 300 victims.
  • Medusa was first identified in June 2021 and operates as a Ransomware-as-a-Service (RaaS).
  • The group recruits brokers in online cybercrime forums for initial access to victims.
  • Phishing campaigns are used to steal credentials, along with exploiting unpatched vulnerabilities.
  • Common tools used for network enumeration include PowerShell and Windows Command Prompt.
  • The advisory emphasizes the importance of strong cybersecurity practices to defend against such attacks.

MITRE Techniques :

  • T1071.001: Application Layer Protocol – Uses remote access tools combined with RDP and PsExec for lateral movement.
  • T1070.001: Indicator Removal on Host – Deletes PowerShell command line history to evade detection.
  • T1046: Network Service Scanning – Scans commonly used ports for services including FTP, SSH, Telnet, and HTTP.
  • T1190: Exploit Public-Facing Application – Exploits unpatched vulnerabilities such as CVE-2024-1709 and CVE-2023-48788.
  • T1083: File and Directory Discovery – Uses Windows Management Instrumentation (WMI) and PowerShell for system information queries.

Indicator of Compromise :

  • [File Hash MD5] 44370f5c977e415981febf7dbb87a85c (openrdp.bat — Allows incoming RDP and remote WMI connections)
  • [File Hash MD5] 80d852cd199ac923205b61658a9ec5bc (pu.exe — Reverse shell)
  • [Filename] !!!READ_ME_MEDUSA!!!.txt (Ransom note file)

Full Story: https://cyble.com/blog/medusa-ransomware-surges-as-fbi-share-insight/

Tags: CVE, DISCOVERY, INITIAL ACCESS, TOOL, PROXY, VULNERABILITY, CRITICAL INFRASTRUCTURE, WINDOWS