Analytics Story: Medusa Ransomware

Date: 2025-03-14 ID: fffb273c-3f8c-45ef-9e23-2d8913d2783b Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Medusa ransomware is a sophisticated malware variant that encrypts victims' files and demands a ransom for decryption. It infiltrates systems through phishing emails, malicious downloads, or exploited vulnerabilities. Once inside, it encrypts files, appends specific extensions, and drops ransom notes with payment instructions. Medusa may also disable security tools, delete backups, and threaten to leak stolen data. Detection methods include monitoring unusual file encryption activity, identifying changes in file extensions, detecting unauthorized system modifications, and analyzing ransom notes. Advanced cybersecurity solutions use behavior-based detection, machine learning, and endpoint protection to identify and block Medusa ransomware before it executes. Regular updates, network monitoring, and employee awareness are crucial for preventing infections.

Why it matters

The RaaS Medusa variant has been used to conduct ransomware attacks from 2021 to present. Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors. While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers. Both Medusa developers and affiliates—referred to as “Medusa actors”. Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing. The Medusa ransomware variant is unrelated to the MedusaLocker variant and the Medusa mobile malware variant per the FBI’s investigation. FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Allow Inbound Traffic By Firewall Rule Registry Remote Desktop Protocol TTP
Allow Network Discovery In Firewall Disable or Modify Cloud Firewall TTP
Common Ransomware Extensions Data Destruction TTP
Common Ransomware Notes Data Destruction Hunting
Deleting Shadow Copies Inhibit System Recovery TTP
Detect PsExec With accepteula Flag SMB/Windows Admin Shares TTP
Detect Renamed PSExec Service Execution Hunting
Domain Controller Discovery with Nltest Remote System Discovery TTP
Firewall Allowed Program Enable Disable or Modify System Firewall Anomaly
GetAdComputer with PowerShell Remote System Discovery Hunting
GetAdComputer with PowerShell Script Block Remote System Discovery Hunting
High Process Termination Frequency Data Encrypted for Impact Anomaly
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
NLTest Domain Trust Discovery Domain Trust Discovery TTP
PowerShell 4104 Hunting PowerShell Hunting
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
Powershell Processing Stream Of Data PowerShell TTP
Powershell Using memory As Backing Store PowerShell TTP
PowerShell WebRequest Using Memory Stream PowerShell, Ingress Tool Transfer, Fileless Storage TTP
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
Resize ShadowStorage volume Inhibit System Recovery TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task TTP
Scheduled Task Initiation on Remote Endpoint Scheduled Task TTP
Schtasks Run Task On Demand Scheduled Task/Job TTP
Suspicious Scheduled Task from Public Directory Scheduled Task Anomaly
System Information Discovery Detection System Information Discovery TTP
System User Discovery With Query System Owner/User Discovery Hunting
Windows AD add Self to Group Account Manipulation TTP
Windows Cmdline Tool Execution From Non-Shell Process JavaScript Anomaly
Windows ConsoleHost History File Deletion Clear Command History Anomaly
Windows Create Local Administrator Account Via Net Local Account Anomaly
Windows Firewall Rule Added Disable or Modify System Firewall Anomaly
Windows Firewall Rule Deletion Disable or Modify System Firewall Anomaly
Windows Firewall Rule Modification Disable or Modify System Firewall Anomaly
Windows Get-AdComputer Unconstrained Delegation Discovery Remote System Discovery TTP
Windows Group Discovery Via Net Local Groups, Domain Groups Hunting
Windows High File Deletion Frequency Data Destruction Anomaly
Windows Modify Registry Disable Restricted Admin Modify Registry TTP
Windows Modify System Firewall with Notable Process Path Disable or Modify System Firewall TTP
Windows MSIExec Spawn Discovery Command Msiexec TTP
Windows MSTSC RDP Commandline Remote Desktop Protocol Anomaly
Windows Powershell History File Deletion Windows Command Shell, Clear Command History Anomaly
Windows Remote Host Computer Management Access Windows Remote Management Anomaly
Windows Remote Services Rdp Enable Remote Desktop Protocol TTP
Windows Schtasks Create Run As System Scheduled Task TTP
Windows Suspicious Child Process Spawned From WebServer Web Shell TTP
Windows System Network Config Discovery Display DNS System Network Configuration Discovery Anomaly
Windows System Remote Discovery With Query System Owner/User Discovery Anomaly
Windows User Discovery Via Net Local Account Hunting
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 23 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 26 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 5 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4728 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4946 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4947 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4948 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1