Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now

Medusa Ransomware

97
Global rank
81 infographic chevron month
Month rank
90 infographic chevron week
Week rank
0
IOCs

Medusa is a ransomware malware family targeting businesses and institutions. Medusa encrypts crucial data, rendering it inaccessible, and attempts to pressure users to pay to regain control of their information. The group behind this malicious software hosts a TOR website where it shares the list of the organizations whose infrastructure has been compromised. This malware utilizes various tactics, including exploiting vulnerabilities and employs a unique file extension (".MEDUSA") to mark encrypted files.

Ransomware
Type
Unknown
Origin
1 June, 2021
First seen
24 September, 2025
Last seen

How to analyze Medusa Ransomware with ANY.RUN

Type
Unknown
Origin
1 June, 2021
First seen
24 September, 2025
Last seen

IOCs

Hashes
bae48fe24d140f4c1c118edbfaee4ab6446c173a0d0b849585a88db3f38f01b8
49da42d00cc3ad6379ead2e07fd5f09bd358b144a6e78aad4bb1a8298e2bb568
f86f2ce32f7051783c5cb01e5e5c6255d9956494b72a44b597025cc12a041060
6c7eda3f5e9bbc685b0eefde2a51f0ccb06ad33805e617876a5124410cac9945
a0fed305edfc9674c4f086c8479ffd48da5e4b7170dd71a3bcdf55dd981052ef
02f250a3df59dec575f26679ebd25de7c1d5b4d9d08016685f87a3628a393f92
d595339cbbf415eca195eb3a0d9a8b6c9ff82a0cf36e4e867f5cef24503bb532
2a5a7c51c843b81d6fba535314fbc20bcc84b36045b25f4116ab4f1b42ba4d77
a3fe92224060ec183a25296999c18d4f86149649f1a701ac91b04d73e8678495
ead965866e72def7759c08492f5ddc40fd5ec1c3c172361906aed09c936f582a
cabeaa5733003112be67c6c67e539378d400a03591b40a1db75c356c569a720a
eeec9b3cf89dee5c3ca0bdacf01f5689f6edbe2a7e9372db73ddd8d900be7a24
54b8ca90cd5c6b8053a612d2e8d99bf05f427b36e7fccc0f63427e1f386db186
104ffe0cc10413b8c3dd04fdc921f07c3cc55efba9a63ccdccf45e4012151c5f
dbac4f2fffcb4e09aad772895647e8f161b1ac713592fe47c5e8207c85722f13
1e2335fef46f7320069623fff6702acb41c2877aff5fec83d94a561af37c3c7a
d90573cdf776f60a91dc57e8c77dd61adbdaaf205de29faf26afd138c520f487
a9ce91a9a1bcbe2cd2ec023cdf2f302c8ac4f6bfe04e83a9c4edd1c47b53618e
add2850732c42683ee92ba555bbffb88bf5a4eee7c51e24f15a898f2d5aff66b
ed139beb506a17843c6f4b631afdf5a41ec93121da66d142b412333e628b9db8
Domains
asfsafsakjfkjsa.xyz
umxkexskgtctvws.cn
sock.asfsafsakjfkjsa.xyz
ueihtnoujbedjiu.ru
fpuacswjcgpcxoe.ru
Last Seen at
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 411
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 1808
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 912
comments 0

What is malware: Medusa Ransomware?

Medusa Ransomware is a type of malicious software employed by cybercriminals for extortion purposes. This tool is used in offensive campaigns that involve the encryption of critical data belonging to organizations, followed by a ransom demand for its decryption.

Medusa Ransomware first emerged in June 2021 and has since targeted various industries, including the education sector. In 2023 alone, it is reported to have affected over 70 organizations globally, operating under the Ransomware-as-a-Service (RaaS) business model.

The cybercriminals behind Medusa Ransomware maintain a dedicated TOR website where they publish information about their victims, accompanied by a countdown clock indicating the time left before the data is released.

To prevent data leaks, victims are typically presented with three options. They can extend the time limit, pay a fee to have their stolen data deleted, or opt to download the compromised data, essentially buying back their own information.

One notable incident involving Medusa Ransomware took place in 2023. The group successfully infiltrated Toyota's European division, demanding a substantial ransom of $8 million. When negotiations broke down, the attackers proceeded to release the stolen data on their dark web portal.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

Medusa ransomware malicious software technical details

One of the primary signs of a Medusa ransomware attack is the addition of the ".MEDUSA" extension to encrypted files. However, this malware has been known to use various other extensions such as .1btc, .mylock, and .key1.

The variety of file extensions linked to Medusa ransomware indicates the existence of several versions. The ransom notes can appear in either TXT or HTML format (in newer versions). The note contains a unique 32-character hash value used for communication with the attackers.

For the encryption process, Medusa utilizes the strong AES256 algorithm, making decryption without the proper key extremely challenging. Additionally, the key used for encryption is itself encrypted using an RSA public key, further securing the encrypted data.

Medusa often infiltrates systems by exploiting existing vulnerabilities. In the past, it has targeted weaknesses such as CVE-2022-2294 and CVE-2022-21999 to deliver its payload.

To maintain persistence on the infected system, Medusa copies an executable file, usually named "svhost.exe" or "svhostt.exe", to a specific directory within the user's profile. This executable is then scheduled to run at regular intervals, ensuring the continued operation of the ransomware.

Medusa targets and terminates processes associated with security software. By doing so, it aims to disable potential detection and data recovery mechanisms.

Another strategy employed by Medusa is the deletion of Volume Shadow Copies, a Windows feature that creates backups of files at specific points in time. By eliminating these copies, Medusa removes a potential recovery method for victims.

Medusa Ransomware execution process

Medusa Ransomware can be analyzed in the ANY.RUN sandbox. To do this, we can upload its sample to the service.

Medusa ransomware typically infiltrates a system through phishing emails or malicious downloads, exploiting vulnerabilities in outdated software or weak security measures. Once executed, it stealthily encrypts files using strong encryption algorithms, rendering them inaccessible to the user. Medusa then displays a ransom note, usually demanding payment in cryptocurrency, in exchange for a decryption key. The ransom note often includes instructions on how to make the payment and how to contact the attackers. Meanwhile, Medusa may also attempt to spread laterally across the network, infecting other connected devices. Finally, the attackers await payment confirmation before providing the decryption key, although there's no guarantee they will uphold their end of the bargain. As a common activity for ransomware, Medusa halts system services and deletes shadow volumes.

Medusa ransom note shown in ANY.RUN Medusa ransom note demonstrated in ANY.RUN

Medusa Ransomware malware distribution methods

Similar to other malware, such as AsyncRAT and Remcos, phishing is one of the primary distribution methods employed by Medusa ransomware operators. Attackers send deceptive emails to potential victims, often disguising themselves as legitimate organizations or individuals. These emails typically contain malicious attachments or links, which, when clicked or downloaded, initiate the ransomware installation process.

Conclusion

Medusa ransomware's ability to compromise sensitive data poses a threat to businesses and individuals. The consequences of a successful attack can be severe, ranging from financial losses due to ransom demands to reputational damage caused by leaked information. Prioritizing preventive measures, such as learning about the malware’s TTPs and collecting its indicators of compromise (IOCs) can prove invaluable for any organization’s security posture. ANY.RUN is an online sandbox that enables users to do just that.

This interactive sandbox environment allows users to safely explore potential malware and quickly receive detailed technical reports. By leveraging this service, users can collect important information for making decisions needed for safeguarding their systems from harm.

Create your ANY.RUN account – it’s free!

HAVE A LOOK AT

DarkVision screenshot
DarkVision
darkvision
DarkVision RAT is a low-cost, modular Remote Access Trojan that gives attackers remote control of infected Windows hosts. Initially observed around 2020 and sold in underground marketplaces, DarkVision has become notable for its full feature set (keylogging, screen capture, file theft, remote command execution and plugin support) and for being distributed via multi-stage loaders in recent campaigns.
Read More
LokiBot screenshot
LokiBot
lokibot loader trojan
LokiBot was developed in 2015 to steal information from a variety of applications. Despite the age, this malware is still rather popular among cybercriminals.
Read More
VanHelsing Ransomware screenshot
VanHelsing is a sophisticated ransomware strain that appeared in early 2025, operating via the Ransomware-as-a-Service (RaaS) model and targeting primarily USA and France. It threatens mostly Windows systems but has variants for Linux, BSD, ARM, and ESXi, making it a multi-platform malware. It is also notable for its advanced evasion techniques, double extortion tactics, and rapid evolution.
Read More
Sality screenshot
Sality
sality
Sality is a highly sophisticated malware known for infecting executable files and rapidly spreading across networks. It primarily creates a peer-to-peer botnet that is used for malicious activities such as spamming, data theft, and downloading additional malware. Sality has strong persistence mechanisms, including disabling security software, making it difficult to remove. Its ability to spread quickly and silently, along with its polymorphic nature, allows it to evade detection by traditional antivirus solutions.
Read More
Prometei screenshot
Prometei
prometei
Prometei is a modular botnet malware family that silently infiltrates systems, hijacking their resources for illicit Monero (XMR) mining. Active since at least 2016, it combines stealth, persistence, and lateral movement capabilities. Notable for its global reach and opportunistic infection strategy, it is also used for credential theft.
Read More
Tycoon 2FA screenshot
Tycoon 2FA
tycoon
Tycoon 2FA is a phishing-as-a-service (PhaaS) platform designed to bypass multi-factor authentication (MFA) protections, particularly targeting Microsoft 365 and Gmail accounts. Its advanced evasion techniques and modular architecture make it a significant threat to organizations relying on MFA for security.
Read More