Medusa ransomware sees a rise in activities (23rd March2023)

Ref# AL2023_22 | Date: Mar 23rd 2023


The ransomware threat actor group called Medusa has emerged recently, targeting mostly corporate victims worldwide with million-dollar ransoms.


Medusa is a ransomware that was launched in June 2021 that infiltrates victims by infected email attachments, compromised or infected sites or through malicious ads. The ransomware uses the AES-256 plus RSA-2048 encryption through the BCrypt library to encrypt files. Files are encrypted with a static file extension .MEDUSA and Medusa drops a ransom note named !!!READ_ME_MEDUSA!!!.txt in each folder after successful encryption. It is not to be confused with the other malware families with the same name, such as the Mirai-based botnet called Medusa with ransomware capabilities, the Medusa android malware or the widely popular MedusaLocker ransomware.

The Medusa is entirely different from the MedusaLocker in that the MedusaLocker was released in 2019 as a Ransomware-as-a-Service, with countless affiliates, the use of a variety of file extensions for encrypted files, and the ransom note named How_to_back_files.html. Whereas the Medusa ransomware encryptor for Windows uses command-line options that the threat actor could specify to configure how files are encrypted on a device. Some of the command-line options are:




Get version


Do not delete self


Exclude system folder


In path


Key file path


Use network


Do not preprocess (preprocess = kill services and shadow copies)


Exclude system drive


Note file path


| Show console window


| Initial run powershell path (powershell -executionpolicy bypass -File %s)

However, if the ransomware does not receive any commands from its threat actor, it performs a regular automated execution. Medusa would terminate over 280 Windows services and processes of programs that would prevent files from encryption (this includes mail servers, database servers, backup servers, and security software processes) and delete all Windows Shadow Volume Copies used to recover files.

Medusa has a data leak site called Medusa Blog that the threat actors use as a double-extortion strategy. It is where the stolen data of victims who refuse to pay the ransom are leaked. However, before leaking the data, the threat actor gives victims different paid options to extend the countdown of the data leak, delete the data or download all the data, each carrying a different price (See this image for the data leak options). The threat actors also have a negotiation site they called Secure Chat that victims can use to communicate with them.


To protect yourself against ransomware attacks, it is recommended to practice proper cyber security hygiene when navigating the internet. Here are some tips to consider:

1. Because most ransomware attacks are delivered through phishing and scams, it is necessary that users know how to spot phishing and scam emails.

2. Be wary of files downloaded from the internet. Any file should be downloaded by verified sources and scanned.

3. Be on the lookout for websites that may be compromised and attempt a drive-by download.

4. Maintain regular backups of critical systems and data in the case of a ransomware attack.

5. Restrict administrative and system access to users who do not require those privileges.

6. Maintain and update all security software including anti-virus, anti-malware, firewalls and endpoint protections.

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: Medusa ransomware sees a rise in activities.pdf