Medusa

Threat Actor Profile Updated 6 days ago
Download STIX
Preview STIX
Medusa, a threat actor known for its ransomware activities, has been on the rise since late 2023, leveraging a zero-day exploit for the Citrix Bleed vulnerability (CVE-2023-4966) alongside other groups like LockBit and ALPHV (BlackCat). This vulnerability led to numerous compromises by these groups in November 2023. Medusa's ransomware operations have escalated from data leaks to multi-extortion techniques, with recruitment advertisements observed by GRIT indicating attempts to expand their operations. They are categorized as an established group in GRIT’s ransomware taxonomy, indicating a high level of maturity and sophistication in their operations. Medusa's ransomware attacks have targeted various organizations globally, including major corporations such as Toyota and healthcare entities like United Healthcare, Optum, and Change Healthcare. In one notable incident, Medusa exfiltrated 51GB of sensitive data from Northeast Ohio Neighborhood Health, which included Protected Health Information and Personally Identifiable Information. The group demanded a $250,000 ransom to prevent the sale or public release of this data. Medusa has also been involved in publishing sensitive student mental health records after failing to secure a ransom, demonstrating their willingness to follow through on threats. Despite its global reach, Medusa's operations come with certain geographical restrictions. Advertisements from Medusa prohibit targeting any organization based within the Commonwealth of Independent States (CIS), with additional restrictions against Cuban, North Korean, and Chinese targets. The group's impact extends to South America, where it affected Digitel networks in Venezuela in early 2024 and launched attacks on various entities in Chile and Argentina in the previous year. As of now, Medusa continues to pose a significant threat to organizations worldwide due to its aggressive tactics and extensive capabilities.
What's your take? (Question 1 of 5)
98e8117d-436e-4c45-81b3-ed74205d7567 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Medusa Ransomware
6
Medusa ransomware is a type of malicious software that has been on the rise, causing significant damage and disruption to various organizations. It operates by infiltrating systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal person
Operation Medusa
4
Operation Medusa was a concerted campaign led by the United States Department of Justice and the FBI to disrupt the activities of Turla's Snake malware. Snake, a signature malware used by the Russia-sponsored Turla advanced persistent threat (APT), had been compromising computers on a large scale. T
MedusaLocker
2
MedusaLocker is a potent variant of ransomware, first observed in September 2019, that primarily targets Windows machines through spam. It was deemed "lesser known but potent" by the US Department of Health and Human Services in a February 2023 report. The malware notably leveraged the disorder and
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Malware
Ransom
Operation Me...
Perseus
Vulnerability
Infiltration
Toyota
Exploit
Data Leak
Extortion
Encryption
Locker
Encrypt
Botnet
Linux
Ddos
Telegram
RaaS
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
LockbitUnspecified
6
LockBit is a malicious software, or malware, that has been significantly active in recent years. It is designed to infiltrate systems and cause significant damage by stealing sensitive information, disrupting operations, and holding data hostage for ransom. In 2023, security firm Rapid7 named LockBi
Snake MalwareUnspecified
4
The infamous Snake malware, a complex and destructive tool utilized by Pensive Ursa, became the target of a significant cybersecurity operation in May 2023. Detailed in a CISA report, the Snake malware was known to infiltrate systems via suspicious downloads, emails, or websites, often unbeknownst t
Locker RansomwareUnspecified
4
Locker ransomware, a type of malware, poses significant risks to computer systems and data. Unlike crypto-ransomware which encrypts user data, locker ransomware locks users out of their devices entirely, demanding a ransom payment to restore access without any data encryption. This threat has evolve
AkiraUnspecified
3
Akira is a compact C++ ransomware that has wreaked havoc across various sectors, impacting over 60 organizations globally. It is compatible with both Windows and Linux systems and is known for its minimalistic JQuery Terminal-based hidden service used for victim communication. The malware enters you
Royal RansomwareUnspecified
2
Royal Ransomware, a harmful malware created by former members of the Conti group, was involved in multiple high-profile attacks against critical infrastructure. Its operations were characterized by multi-threaded encryption and it often left a ransom note after infecting systems. Notably, the Royal
MiraiUnspecified
2
Mirai is a type of malware that specifically targets Internet of Things (IoT) devices to form a botnet, which is a network of compromised devices controlled by an attacker. The Mirai botnet gained significant attention in early 2022 when it accounted for over 7 million botnet detections. However, by
ClopUnspecified
2
Clop is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. T
AukillUnspecified
2
AuKill is a sophisticated piece of malware that has been used in various ransomware attacks since the beginning of 2023. The malware leverages a vulnerable version of a driver for Microsoft’s Process Explorer utility to disable endpoint protection products, thereby paving the way for the deployment
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TurlaUnspecified
5
Turla, also known as Pensive Ursa, Snake, Uroburos, Waterbug, Venomous Bear, and KRYPTON, is a threat actor that has been active since at least 2004. This group, which is believed to be Russia-sponsored, primarily targets diplomatic and government organizations, private businesses, and non-governmen
SnakeUnspecified
5
Snake, also known as Turla or EKANS, is a significant threat actor that has been active since at least 2004 and possibly as far back as the late 1990s. This cybercrime group possesses an extensive arsenal of tools and malware, including AgentTesla, FormBook, Remcos, LokiBot, GuLoader, Snake Keylogge
AlphvUnspecified
4
AlphV, also known as BlackCat, is a significant threat actor within the cybercrime landscape. Throughout 2023, AlphV has been responsible for numerous high-profile ransomware attacks, stealing significant amounts of data from various organizations. The group claimed responsibility for hacking Clario
RhysidaUnspecified
2
Rhysida is a prominent threat actor in the cybersecurity landscape, first emerging in May 2023 as a Ransomware-as-a-Service (RaaS) operation. Initially targeting Windows systems, Rhysida later expanded to Linux platforms. The ransomware uses AES and RSA algorithms for file encryption, with the ChaCh
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2023-4966Unspecified
2
CVE-2023-4966, also known as Citrix Bleed, is a critical software vulnerability that affects Citrix NetScaler ADC and Gateway products. This flaw in the software design or implementation was discovered in 2023 and is classified as a sensitive information disclosure vulnerability with a CVSS score of
Citrix Bleedhas used
2
Citrix Bleed, identified as CVE-2023-4966, is a severe software vulnerability in Citrix Netscaler Gateway and Netscaler ADC products, with a high CVSS score of 9.4 indicating its critical nature. This flaw allows for sensitive information disclosure, bypassing password requirements and multifactor a
Source Document References
Information about the Medusa Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Unit42
5 months ago
Medusa Ransomware Turning Your Files into Stone
CERT-EU
a year ago
Medusa botnet returns as a Mirai-based variant with ransomware sting
CERT-EU
a year ago
A cancer centre is the latest victim of cyber attacks. Why health data hacks keep happening
CERT-EU
8 months ago
Medusa ransomware unleashes unprecedented cyber attack against Philhealth | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
5 months ago
Medusa group steps up ransomware activities | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
8 months ago
MEDUSA Cyber Attacks: Two New Victims Added To The List!
CERT-EU
a year ago
Notorious Medusa ransomware: Gang seeks $500,000 from GMDC | Ahmedabad News | #ransomware | #cybercrime – National Cyber Security Consulting
CERT-EU
5 months ago
CVE-2023-50258 - Alert Detail - Security Database
CERT-EU
8 months ago
DICT issues guidelines, security measures to combat Medusa ransomware | #ransomware | #cybercrime | National Cyber Security Consulting
BankInfoSecurity
5 months ago
Ransomware Trends: Medusa and Akira Rage; Tortilla Disrupted
CERT-EU
4 months ago
The Top 10 Ransomware Groups of 2023
CERT-EU
8 months ago
PhilHealth hit by ransomware – report | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
4 months ago
Medusa Ransomware Unleashes New Tactics: Data Sale, Time Extension, and AI Threats - Cybersecurity Insiders
CERT-EU
6 months ago
The Week in Ransomware - November 17th 2023 - Citrix in the Crosshairs
CERT-EU
8 months ago
Philippines state health org struggling to recover from ransomware attack
CERT-EU
5 months ago
Ransomware victims are being offered payment extension plans as groups ratchet up pressure | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
5 months ago
From Data Leaks to Physical Threats | #ransomware | #cybercrime | National Cyber Security Consulting
CERT-EU
a year ago
Emerging Threat Landscape: 167 New Ransomware Groups Emerge in Q1 2023 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware – National Cyber Security Consulting
CERT-EU
8 months ago
Auckland Transport suffers “technical outage” as Medusa ransomware gang claims hack | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
5 months ago
Ransomware gang targets nonprofit providing clean water to world’s poorest | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting