The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Medusa Ransomware

Jan 24, 2025 2:18:04 PM / by The Hivemind

MEDUSAVerticals Targeted: Government, Insurance, Real Estate, Healthcare, Manufacturing, Legal Services, Construction, Retail, Business Services, Energy, Education, Telecommunications, Software, Hospitality, Transportation, Financial 

Executive Summary

Medusa ransomware is a RaaS that has been active since at least 2023. Medusa has claimed several victims so far in 2025, including UK’s Gateshead Council.

Key Takeaways

  • Medusa is a ransomware family that has been active since at least 2023 and targets Windows machines.
  • Medusa ransomware obtains initial access by exploiting vulnerable and unpatched systems and by using credentials obtained from initial access brokers (IABs). 
  • Medusa ransomware uses a double extortion method, demanding a ransom payment to decrypt encrypted data and threatening to leak stolen files if the ransom is not paid. 

What is Medusa ransomware?

Medusa is a ransomware family that has been active since at least 2023. Not to be confused with Medusa Android banking trojan or MedusaLocker, Medusa is a ransomware as a service (RaaS) that targets Windows machines. Tripwire recently reported on Medusa ransomware. 

Medusa ransomware obtains initial access by exploiting vulnerable and unpatched systems and by using credentials obtained from initial access brokers (IABs). To evade detection, Medusa ransomware uses living off-the-land techniques. 

Like many ransomware families, Medusa exfiltrates victim data and deletes volume shadow copies prior to encrypting files on infected systems. It also deletes virtual disk hard drives, which are used by virtual machines. Files are encrypted using the AES256 algorithm, and encrypted files are appended with the .MEDUSA extension. A ransom note is left on the victim machine. Medusa ransomware uses a double extortion method, demanding a ransom payment to decrypt encrypted data and threatening to leak stolen files if the ransom is not paid. 

Medusa ransomware is known to target entities in the government, insurance, real estate, healthcare, manufacturing, legal services, construction, retail, business services, energy, education, software, telecommunications, hospitality, transportation, and financial verticals. Victims have included entities in the US, Chile, Germany, Australia, Belgium, Philippines, Israel, UK, Brazil, Canada, Peru, Norway, Japan, and other locations. One of the group’s most recent targets was the UK's Gateshead Council. Medusa allegedly leaked stolen documents on their leaks site and made a ransom demand of £600K. 

IOCs

PolySwarm has multiple samples of Medusa ransomware.

 

4d4df87cf8d8551d836f67fbde4337863bac3ff6b5cb324675054ea023b12ab6

7d68da8aa78929bb467682ddb080e750ed07cd21b1ee7a9f38cf2810eeb9cb95

9144a60ac86d4c91f7553768d9bef848acd3bd9fe3e599b7ea2024a8a3115669

736de79e0a2d08156bae608b2a3e63336829d59d38d61907642149a566ebd270

 

You can use the following CLI command to search for all Medusa ransomware samples in our portal:

$ polyswarm link list -f MedusaRansomware

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Ransomware, Medusa

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More