Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Software
  3. Medusa Ransomware

Medusa Ransomware

Medusa Ransomware has been utilized in attacks since at least 2021.Medusa Ransomware has been known to be utilized in conjunction with living off the land techniques and remote management software.Medusa Ransomware has been used in campaigns associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid.Medusa Ransomware software was initially a closed ransomware variant which later evolved to a Ransomware as a Service (RaaS).Medusa Ransomware has impacted victims from a diverse range of sectors within a multitude of countries, and it is assessedMedusa Ransomware is used in an opportunistic manner.[1][2][3][4]

ID: S1244
Type: MALWARE
Version: 1.0
Created: 17 October 2025
Last Modified: 21 October 2025
Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1059.001Command and Scripting Interpreter:PowerShell

Medusa Ransomware has launched PowerShell scripts for execution and defense evasion.[3][2]

.003Command and Scripting Interpreter:Windows Command Shell

Medusa Ransomware has usedcmd.exe to execute command on an infected host.[3][2]

EnterpriseT1543.003Create or Modify System Process:Windows Service

Medusa Ransomware has created a new PowerShell process using theCreateProcessA API.[2]

EnterpriseT1486Data Encrypted for Impact

Medusa Ransomware has encrypted files using AES-256 encryption, which then appends the file extension ".medusa" to encrypted files and leaves a ransomware note named "!READ_ME_MEDUSA!!!.txt."[3][1][4][2]

EnterpriseT1140Deobfuscate/Decode Files or Information

Medusa Ransomware has decoded XOR encrypted strings prior to execution in memory.[3][2]

EnterpriseT1083File and Directory Discovery

Medusa Ransomware has searched for files within the victim environment for encryption and exfiltration.[3][1][2]Medusa Ransomware has also identified files associated with remote management services.[3][1]

EnterpriseT1564.003Hide Artifacts:Hidden Window

Medusa Ransomware has utilized theShowWindow function to hide current window.[2]

EnterpriseT1562.001Impair Defenses:Disable or Modify Tools

Medusa Ransomware has terminated antivirus services utilizing the gaze.exe executable.[3]Medusa Ransomware has also terminated antivirus services utilizing PowerShell scripts.[3][2]

EnterpriseT1070.004Indicator Removal:File Deletion

Medusa Ransomware has the ability to delete itself after execution.[4]Medusa Ransomware also has the ability to delete itself after execution through the commandcmd /c ping localhost -n 3 > nul & del.[3][2]

EnterpriseT1490Inhibit System Recovery

Medusa Ransomware has deleted recovery files such as shadow copies usingvssadmin.exe.[3][1][4][2]

EnterpriseT1559Inter-Process Communication

Medusa Ransomware has leveraged theCreatePipe API to enable inter-process communication.[2]

EnterpriseT1680Local Storage Discovery

Medusa Ransomware has enumerated logical drives on infected hosts.[2]

EnterpriseT1106Native API

Medusa Ransomware has leveraged Windows Native API functions to execute payloads.[2]

EnterpriseT1135Network Share Discovery

Medusa Ransomware has identified networked drives.[3][4][2]

EnterpriseT1027.013Obfuscated Files or Information:Encrypted/Encoded File

Medusa Ransomware has utilized XOR encrypted strings.[3][2]

EnterpriseT1057Process Discovery

Medusa Ransomware has utilized an encoded list of the processes that it detects and terminates.[3][4][2]

EnterpriseT1679Selective Exclusion

Medusa Ransomware has avoided specified files, file extensions and folders to ensure successful execution of the payload and continued operations of the impacted device.[3][4][2]

EnterpriseT1489Service Stop

Medusa Ransomware has the capability to terminate services related to backups, security, databases, communication, filesharing and websites.[1][4][2]Medusa Ransomware has also utilized thetaskkill /F /IM <process> /T command to stop targeted processes andnet stop <process> command to stop designated services.[4][2]

EnterpriseT1518.001Software Discovery:Security Software Discovery

Medusa Ransomware has the capability to detect security solutions for termination or deletion within the victim device using hard-coded lists of strings containing security product executables.[3]

EnterpriseT1082System Information Discovery

Medusa Ransomware has collected data from the SMBIOS firmware table usingGetSystemFirmwareTable.[2]

EnterpriseT1007System Service Discovery

Medusa Ransomware has leveraged an encoded list of services that it designates for termination.[3][4][2]

EnterpriseT1124System Time Discovery

Medusa Ransomware has discovered device uptime throughGetTickCount().[2]

Groups That Use This Software

IDNameReferences
G1051Medusa Group

Medusa Group has usedMedusa Ransomware for ransomware activities.[3][1][4][2]

References

×
[8]ページ先頭
©2009-2026 Movatter.jp