medusa

517 tracked victims

·first seen 2023-01-11·last activity 2026-02-13

Group profile

Medusa is a ransomware-as-a-service operation active since June 2021 that has targeted over 300 victims across critical infrastructure sectors including healthcare, education, legal, and manufacturing using double-extortion, with attacks surging 42% between 2023 and 2024 and a formal CISA advisory issued in early 2025.

MITRE ATT&CK TTPs

TA0001

Initial Access

T1078Valid Accounts
Initial access through brute force or compromised credentials of legitimate RDP accounts.
T1133External Remote Services
Accesses the victim's network via an RDP service.
T1566Phishing
Initial access through phishing email attachments.

TA0002

Execution

T1047Windows Management Instrumentation
Uses a series of Windows commands, such as bcdedit.exe and vssadmin.
T1059Command and Scripting Interpreter
Uses a series of Windows commands, such as bcdedit.exe and vssadmin.

TA0005

Defense Evasion

T1562Impair Defenses
Employs Windows Management Instrumentation (WMIC) command-line to delete shadow copies.
T1562.001Disable or Modify Tools
Terminates services or processes related to antivirus/security tools.
T1562.009Safe Mode Boot
Abuses Safe Mode to evade endpoint detection.

TA0006

Credential Access

T1110Brute Force
Uses brute force on local RDP account passwords.

TA0007

Discovery

T1083File and Directory Discovery
Queries specified files, folders, and file extensions.
T1135Network Share Discovery
Enumerates network shares.

TA0008

Lateral Movement

T1021Remote Services
Uses remote services for login and lateral movement via RDP and SMB.

TA0010

Exfiltration

T1045Exfiltration Over C2 Channel
Transfers data to attacker-controlled servers via an existing command-and-control (C2) channel.
T1048Exfiltration Over Alternative Protocol
Exfiltrates data using alternative protocols, such as FTP/SFTP, to avoid detection by traditional methods.
T1567Exfiltration Over Web Service
Exfiltrates data using web services like cloud services (e.g., Google Drive, Dropbox, etc.).

TA0011

Command and Control

T1105Ingress Tool Transfer
Uses certutil to download malicious files.

TA0040

Impact

T1486Data Encrypted for Impact
Uses the AES-256 algorithm to encrypt files on the computer.
T1489Service Stop
Terminates processes and services related to database servers, email servers, and backups.
T1490Inhibit System Recovery
Deletes shadow copies and disables the Windows System Restore feature.

Recent victims

showing 50 of 517

Date	Website / victim	Sector	Country
2026-01-29	Balloons Everywhereballoons.com	Consumer Services	US
2026-01-29	South Hays Fire Departmentsouthhaysfire.com	Public Sector	US
2026-02-02	Comune di Battipagliabattipaglia.sa.it	Public Sector	IT
2026-02-08	Grandview Family Medicinegrandviewfamilymedicine.com	Healthcare	US
2026-02-13	MESA Productsmesaproducts.com	Manufacturing	US
2026-01-04	Resource Corporation of Americaresourcecorp.com	Healthcare	US
2025-12-23	J JBS	Healthcare	US
2025-12-13	Thunder Bay Counsellingthunderbaycounselling.ca	Public Sector	CA
2025-12-13	S Sampoerna Agro	Agriculture and Food Production	ID
2025-12-13	Shamrock Technologiesshamrocktechnologies.com	Technology	US
2025-12-17	Callipo Groupcallipogroup.it	Agriculture and Food Production	IT
2025-11-24	Universidade Municipal de São Caetanouscs.edu.br	Education	BR
2025-11-24	WR Comercialwrcomercial.com.br	Business Services	BR
2025-11-28	Concord Academyconcordacademy.org	Education	US
2025-11-17	General Distributinggeneraldistributingcompany.com	Transportation/Logistics	US
2025-11-17	FDC Interiorsfdc-interiors.com	Construction	AE
2025-11-17	MFE Formwork Technologymfeformwork.com	Construction	SG
2025-11-17	Nationwide Legal LLCnationwidelegal.com	Business Services	US
2025-11-08	Atrium Living Centersatriumlivingcenters.com	Healthcare	US
2025-10-28	Simon Property Groupsimon.com	Financial Services	US
2025-10-29	C Clackamas Community College	Education	US
2025-11-05	L LaRosa’s Pizzeria	Hospitality and Tourism	US
2025-11-05	Oscars Grouposcarsgroup.com.au	Hospitality and Tourism	AU
2025-11-06	PT Kalimantan Prima Persadapamapersada.com	Energy	ID
2025-10-22	Adore Children and Family Servicesadorechildren.org	Healthcare	US
2025-10-22	ATIRGatirg.fr	Healthcare	FR
2025-10-22	Cooperativa Esercenti Farmacia Scrlcef.it	Healthcare	IT
2025-10-22	Alissa Groupalissa-group.com	Agriculture and Food Production	SA
2025-10-19	Imagicleimagicle.com	Technology	IT
2025-10-19	Linxx Global Solutionslinxxglobal.com	Business Services	US
2025-10-19	DALCANSdalcans.fr	Consumer Services	FR
2025-10-09	L Leprohon (Image !)	Construction
2025-10-12	LA VOIE EXPRESSlavoiexpress.ma	Transportation/Logistics	MA
2025-10-12	Design To Printprintdaddy.com	Business Services	US
2025-10-12	EcoPetróleoecopetroleo.do	Energy	BR
2025-10-13	Cemtrexcemtrex.com	Manufacturing	US
2025-10-07	Lux Actuaries & Consultantsluxactuaries.com	Financial Services	AE
2025-09-23	CCMCccmcnet.com	Business Services	US
2025-09-26	Comcastcomcast.com	Telecommunication	US
2025-09-26	Organonorganon.com	Healthcare	US
2025-09-26	Insightin Healthinsightinhealth.com	Healthcare	US
2025-09-27	Future Generalifuturegenerali.in	Financial Services	IN
2025-10-03	Leprohonleprohon.com	Construction	CA
2025-10-03	L LGB	Manufacturing	GB
2025-09-08	Cariricariri.com	Education	TT
2025-09-06	Rad-Solutions, LLCradsolutionsllc.com	Manufacturing	US
2025-09-01	Levellevel.com	Financial Services	US
2025-09-01	TEAM GROUPteamgroup.co.th	Construction	TH
2025-08-26	Aldagialdagi.ge	Financial Services	GE
2025-08-17	Expert E-commerce GmbHexpert.de	Technology	DE