From boutique operation to RaaS powerhouse
In its early stages, Medusa operated as a closed, centrally managed ransomware operation. However, this model limited scalability and diversification of attack vectors. In mid-2024, the group made a strategic pivot to the increasingly popular RaaS model, where ransomware developers lease out their tools to affiliates in exchange for a percentage of ransom payments. This has historically marked a critical turning point for many groups to accelerate their success.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]Medusa offloads the labor-intensive tasks of initial access and infection to a decentralized network of affiliates. This lets them retain control over payload development, encryption schemes, and ransom negotiation. As a result, they can harden their infrastructure, focus on offensive capabilities, and attract new talent. These affiliates can now tailor campaigns to regional or sectoral targets, while Medusa’s core team focuses on innovating its malware and refining the group’s extortion tactics. This shift suggests a move from targeting small to medium businesses to pursuing larger and more profitable targets.
Technical tactics and toolsets
Medusa employs a robust arsenal of tactics, techniques, and procedures (TTPs) aligned with the MITRE ATT&CK framework, which lets it gain initial access, escalate privileges, move laterally, and exfiltrate data before encrypting systems.The group typically gains initial access via phishing emails that deploy malicious payloads or harvest credentials, as well as through exploitation of public-facing applications, particularly unpatched Microsoft Exchange and VPN vulnerabilities. Some affiliates have also been observed leveraging initial access brokers (IABs) to purchase access to compromised environments, accelerating the attack cycle.Lateral movement and persistence are achieved through the use of legitimate remote access software like AnyDesk, Atera and ConnectWise Control. These tools let the attackers blend into normal administrative activity, making detection difficult. PowerShell scripts and Windows Management Instrumentation (WMI) are frequently used for stealthy command execution.Once inside the network, they conduct privilege escalation using tools like Mimikatz to extract credentials from memory, granting administrative-level access across domain environments.Data exfiltration and encryption are staged operations. First, sensitive documents are stolen and staged for external transfer, usually via encrypted third-party tunneling, cloud storage services or file transfer protocol (FTP). Then, the ransomware encrypts systems, displaying a custom ransom note. Medusa typically employs a double extortion model, that threatens to leak stolen data unless a payment gets made. They also let individuals delay the timer for data leaks with payments or remove their breached announcement altogether. In some cases, Medusa uses a triple extortion tactic, demanding payment from affected customers or business partners of the primary victim.
Target profile: Critical infrastructure in the crosshairs
Medusa’s targeting trends reveal a clear and persistent focus on critical infrastructure and high-value organizations. The group has targeted healthcare, education, legal, insurance, manufacturing, and technology sectors with increasing frequency. These sectors are particularly vulnerable because of their reliance on continuous operations, complex supply chains, and often aging IT infrastructure.Healthcare and law firm organizations have been disproportionately impacted because of the sensitive nature of their data and the potential for life-threatening service disruptions. Our recent data indicates that Medusa has disproportionately targeted the following sectors: 22% of their attacks have been on healthcare organizations, 34% on law offices, and 16% on technology-related businesses.Educational institutions, similarly, have faced attacks timed around peak operational periods, such as exam seasons, to maximize leverage. Both of these have been extensively targeted by Medusa in the past, accounting for nearly half of the suspected breaches witnessed in 2024.Ransom demands vary, ranging from $100,000 to $15 million, with an average demand of approximately $1.2 million. The group’s extortion portal, known as the “Medusa Blog,” publicly lists victims and leaked data samples, further pressuring victims to comply.
Anticipating future targets
Given Medusa’s pattern of escalating attacks against critical infrastructure, sectors such as energy, telecommunications, and transportation are likely to face increased targeting in 2025. These industries present high-impact opportunities for attackers, especially as geopolitical tensions heighten and cyberattacks increasingly align with state-sponsored disruption strategies.Additionally, the group’s use of affiliates across multiple regions introduces the possibility of wider geographic spread and customized regional campaigns. This modular and distributed threat model makes Medusa particularly challenging to defenders. It’s likely the group will continue to target healthcare, transportation, and highly sensitive data retaining areas, such as insurance, legal offices, and government records. These sectors are more likely to pay a ransom because of the high impact of potential breaches.Greg Linares, principal threat intelligence analyst, HuntressSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
