GitHub Repo

Analytics Story: Medusa Ransomware

Updated Date: 2026-05-13 ID: fffb273c-3f8c-45ef-9e23-2d8913d2783b Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Medusa ransomware is a sophisticated malware variant that encrypts victims' files and demands a ransom for decryption. It infiltrates systems through phishing emails, malicious downloads, or exploited vulnerabilities. Once inside, it encrypts files, appends specific extensions, and drops ransom notes with payment instructions. Medusa may also disable security tools, delete backups, and threaten to leak stolen data. Detection methods include monitoring unusual file encryption activity, identifying changes in file extensions, detecting unauthorized system modifications, and analyzing ransom notes. Advanced cybersecurity solutions use behavior-based detection, machine learning, and endpoint protection to identify and block Medusa ransomware before it executes. Regular updates, network monitoring, and employee awareness are crucial for preventing infections.

Why it matters

The RaaS Medusa variant has been used to conduct ransomware attacks from 2021 to present. Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors. While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers. Both Medusa developers and affiliates—referred to as “Medusa actors”. Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing. The Medusa ransomware variant is unrelated to the MedusaLocker variant and the Medusa mobile malware variant per the FBI’s investigation. FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Allow Network Discovery In Firewall Cloud Firewall TTP
Allow Inbound Traffic By Firewall Rule Registry Remote Desktop Protocol TTP
GetAdComputer with PowerShell Script Block Remote System Discovery Hunting
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Common Ransomware Extensions Data Destruction TTP
Scheduled Task Initiation on Remote Endpoint Scheduled Task TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
Deleting Shadow Copies Inhibit System Recovery TTP
Windows Get-AdComputer Unconstrained Delegation Discovery Remote System Discovery TTP
Windows Remote Services Rdp Enable Remote Desktop Protocol TTP
Windows Modify System Firewall with Notable Process Path Disable or Modify System Firewall TTP
Windows System Network Config Discovery Display DNS System Network Configuration Discovery Anomaly
Detect Renamed PSExec Service Execution Hunting
System User Discovery With Query System Owner/User Discovery Hunting
NLTest Domain Trust Discovery Domain Trust Discovery TTP
Windows MSTSC RDP Commandline Remote Desktop Protocol Anomaly
Powershell Using memory As Backing Store PowerShell TTP
Windows ConsoleHost History File Deletion Clear Command History Anomaly
Resize ShadowStorage volume Inhibit System Recovery TTP
Windows PUA Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication Anomaly
PowerShell WebRequest Using Memory Stream Fileless Storage, PowerShell, Ingress Tool Transfer TTP
Windows Schtasks Create Run As System Scheduled Task TTP
Detect PsExec With accepteula Flag SMB/Windows Admin Shares TTP
Windows Firewall Rule Modification Disable or Modify System Firewall Anomaly
System Information Discovery Detection System Information Discovery TTP
Firewall Allowed Program Enable Disable or Modify System Firewall Anomaly
PowerShell 4104 Hunting PowerShell Hunting
Suspicious Scheduled Task from Public Directory Scheduled Task Anomaly
Powershell Processing Stream Of Data PowerShell TTP
Common Ransomware Notes Data Destruction Hunting
Scheduled Task Deleted Or Created via CMD Scheduled Task Anomaly
Windows Powershell History File Deletion Windows Command Shell, Clear Command History Anomaly
GetAdComputer with PowerShell Remote System Discovery Hunting
Windows MSIExec Spawn Discovery Command Msiexec Anomaly
Ransomware Notes bulk creation Data Encrypted for Impact Anomaly
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
Windows Remote Host Computer Management Access Windows Remote Management Anomaly
Windows System Remote Discovery With Query System Owner/User Discovery Hunting
Schtasks Run Task On Demand Scheduled Task/Job Anomaly
Windows AD add Self to Group Account Manipulation TTP
Windows Suspicious Child Process Spawned From WebServer Web Shell Anomaly
Windows User Discovery Via Net Local Account Hunting
Windows Cmdline Tool Execution From Non-Shell Process JavaScript Anomaly
Windows Group Discovery Via Net Local Groups, Domain Groups Hunting
Domain Controller Discovery with Nltest Remote System Discovery TTP
Windows Firewall Rule Added Disable or Modify System Firewall Anomaly
Windows Modify Registry Disable Restricted Admin Modify Registry TTP
High Process Termination Frequency Data Encrypted for Impact Anomaly
WinEvent Scheduled Task Created to Spawn Shell Scheduled Task TTP
Windows Create Local Administrator Account Via Net Local Account Anomaly
Windows Firewall Rule Deletion Disable or Modify System Firewall Anomaly
Windows High File Deletion Frequency Data Destruction Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 23 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 26 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4947 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4728 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4946 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 5 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4948 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security

References

Source: GitHub | Version: 2