The Medusa ransomware group is a rising threat actor in the 2025 ransomware ecosystem. Businesses that fall victim to Medusa ransomware are typically pressured into paying ransoms via double extortion techniques, where the group threatens to publicly release sensitive data and ruin their reputations.
Medusa ransomware tools are offered to affiliates, increasing the volume of attacks through a Ransomware-as-a-Service (RaaS) business model. This highlights the need for robust security postures with specific controls for preventing and removing ransomware.
The rise of the Medusa group is set against a historic ransomware surge in Q1 of 2025.
This surge comes despite high-profile law enforcement operations in 2024 disrupting major ransomware players LockBit and ALPHV. This fragmentation has allowed other ransomware variants and newly formed groups to fill the void left in the RaaS marketplace.
When it comes to Medusa ransomware vs cl0p, the latter remains the most active group in the RaaS marketplace. While it may not be the biggest player in the industry, Medusa’s activities have caught the attention of US law enforcement.
The advisory includes a description of the group’s:
Medusa is a RaaS variant that has grown significantly, claiming hundreds of victims and becoming a top ten ransomware actor since 2023. Originally a closed ransomware variant (all operations handled by the Medusa ransomware group alone), it has since developed an affiliate model that allows others to launch attacks.
But the central Medusa ransomware group still handles ransom negotiations.
The specific location of the Medusa ransomware group is unknown, but evidence suggests it operates out of Russia or one of its allied states. This is due to the group avoiding targeting organizations within Russia and the Commonwealth of Independent States and activity on Russian-language dark web forums like RAMP.
However, there is intelligence linking Medusa to “Frozen Spider,” an eCrime group active in broader cybercrime-as-a-service networks. Although details are unclear, Frozen Spider uses Medusa ransomware for big game hunting, targeting larger-scale organizations for higher ransoms.
The Medusa ransomware group hits a variety of industries, often targeting critical infrastructure used in healthcare, education, technology, manufacturing, legal, and government organizations.
They often go after profitable small and medium-sized enterprises (SMEs) in industries that:
This increases their chances of getting paid, as victims scramble to resume normal operations and protect their data. Medusa victims have been reported in over 45 countries, including the United States, Canada, Australia, Germany, Italy, and the UK.
Unlike many other ransomware groups, Medusa is known for using public channels with a:
These properties are allegedly run by users under the pseudonyms “Robert Vroofdown” and “Robert Enaber.”
Utilizing these public channels, the Medusa ransomware group aims to publicly pressure its victims into paying ransoms while also building its reputation and presence in the RaaS marketplace by demonstrating its capabilities and accomplishments.
The Medusa ransomware group also launched its own data leak site in 2023 known as the Medusa Blog.
The group publishes sensitive information on the site when victims refuse to pay ransoms. This data leak site is on the dark web alongside Medusa’s TOR links and forums.
The Medusa ransomware group’s primary goal appears to be financial returns.
They utilize a double extortion model where data is encrypted and exfiltrated to achieve this. This enables the group to start ransom negotiations with large demands as they not only disrupt operations but also threaten to publicly release the victim’s sensitive data.
To infiltrate corporate systems, Medusa typically pays Initial Access Brokers (IABs) to provide user credentials and other sensitive data that enables access. These brokers utilize credential stuffing, phishing, and other techniques to gather their datasets before advertising them on cybercrime marketplaces.
IABs accelerate Medusa’s ransomware attacks, allowing the group to focus on encrypting and exfiltrating datasets and negotiating ransoms rather than gaining initial access to networks. But, the Medusa ransomware group also conducts phishing campaigns and exploits public-facing vulnerabilities to gain access to networks themselves.
Common Medusa ransomware tactics during an attack include:
Protecting your business network against Medusa ransomware threats requires a range of security controls and best practices.
Methods promoted in the recent Medusa advisory include:
You need a dedicated solution to implement these methods and protect your business against Medusa ransomware in 2025 and beyond. Harmony Endpoint from Check Point offers comprehensive Anti-ransomware protection against the most sophisticated attacks. The solution provides:
All this comes in a single, cost-effective product that can be tailored to meet your security and compliance needs.
Find out how Harmony Endpoint mitigates the risk posed by the top ransomware groups and most advanced threats by booking a demo today.
