Response to CISA Advisory (AA25-071A): #StopRansomware: Medusa Ransomware – Source: securityboulevard.com

On March 12, 2025, The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a Cybersecurity Advisory (CSA) to disseminate known Medusa ransomware IOCs and TTPs that have been identified through FBI investigations as recently as February 2025.

This joint CSA is a continuation of CISA’s ongoing #StopRansomware effort to arm defenders with the intelligence they need to combat different ransomware variants and ransomware threat actors.

Medusa is a Ransomware-as-a-Service (RaaS) operation that has been active since June 2021 targeting Windows-based environments. At the time of writing, Medusa has impacted over 300 victims across multiple industries. Medusa should not be confused with MedusaLocker, another similarly named RaaS family active since mid-2019.

The ransomware spreads through the exploitation of vulnerable public-facing assets, unpatched applications, and the hijacking of legitimate accounts. Medusa operators often work with Initial Access Brokers (IABs) to gain a foothold in target networks.

To evade detection, Medusa employs Living-off-the-Land (LotL) techniques, abusing legitimate system tools for malicious activities. This allows the ransomware to blend in with normal network behavior, making identification and mitigation more difficult.

AttackIQ has previously released an attack graph emulating the behaviors exhibited by Medusa Ransomware. AttackIQ has now released a new assessment template incorporating the latest Tactics, Techniques and Procedures (TTPs) revealed in the CISA’s Cybersecurity Advisory (CSA) to help customers validate their security controls and their ability to defend against this sophisticated threat.

Validating your security program performance against these behaviors is vital in reducing risk. By using this new assessment template in the AttackIQ Security Optimization Platform, security teams will be able to:

• Evaluate security control performance against the behaviors associated with the Medusa ransomware.
• Assess their security posture against an opportunistic adversary.
• Continuously validate detection and prevention pipelines against a playbook similar to those used by currently active ransomware groups.

This assessment template emulates the post-compromise Tactics, Techniques, and Procedures (TTP) exhibited by Medusa ransomware affiliates during their latest activities.

The assessment template is divided into tactics, grouping the techniques and implementations used by affiliates at each stage of their activities.

Execution

Consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, such as exploring a network or stealing data.

Command and Scripting Interpreter: PowerShell (T1059.001): This scenario encodes the Get-Host PowerShell command into base64 and then executes it using –enc -noni –nop –w hidden –ep bypass parameter.

Persistence

Consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Create Account: Local Account (T1136.001): This scenario attempts to create a new user into the system with the net user Windows command.

Scheduled Task/Job: Scheduled Task (T1053.005): This scenario attempts to create a new scheduled task for persistence using the schtasks utility.

Defense Evasion

Consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts.

Modify Registry (T1112): This scenario enables the Restricted Admin setting by creating the DisableRestrictedAdmin registry key and setting the value to 0.

Impair Defenses: Disable or Modify Tools (T1562.001): The registry key HKLMSYSTEMCurrentControlSetControlTerminal ServicesfDenyTSConnections is set to 0 which will enable remote access to the system using Remote Desktop.

Impair Defenses: Disable or Modify System Firewall (T1562.004): Remote Desktop may not be enabled by default through the local system firewall. Threat actors can create new firewall rules to open ports for local and remote access using the netsh advfirewall utility. This scenario opens local port 3389 for inbound access.

Credential Access

Consists of techniques used by adversaries to harvest credentials available on the compromised system.

OS Credential Dumping: LSASS Memory (T1003.001): This scenario dumps the Windows Local Security Authority Server Service (LSASS) process memory to a Minidump file using Mimikatz. This process is used for enforcing security policy on the system and contains many privileged tokens and accounts that are targeted by threat actors.

OS Credential Dumping (T1003): This scenario utilizes an obfuscated version of Mimikatz to dump passwords and hashes for Windows accounts.

Discovery

Consists of techniques that adversaries use to discover information related to the compromised environment.

System Network Configuration Discovery (T1016): This scenario executes the ipconfig /all command to retrieve information about all network adapters.

Network Share Discovery (T1135): This scenario executes the net share command to list all network shares in the system.

System Network Configuration Discovery (T1016): This scenario attempts to collect information about the network configuration of the compromised asset using the Windows utility net use.

System Network Connections Discovery (T1049): This scenario uses the native Windows command line tool netstat to collect active connections and any listening services running on the host.

System Service Discovery (T1007): This scenario executes sc query command to query all running Windows services.

System Information Discovery (T1082): This scenario executes the systeminfo command to collect information about the compromised system.

System Information Discovery (T1082): This scenario executes the native ver command to discover the Windows version.

Remote System Discovery (T1018): This scenario executes nltest /dclist command to retrieve the list of domain controllers for the identified domain.

Account Manipulation ( T1098 ): This scenario executes the net user guest /active:yes Windows command to enable the guest user account on the host machine.

Account Discovery: Domain Account (T1087.002): This scenario executes net group command to list domain administrator accounts.

Account Manipulation (T1098): This scenario adds a local user to the local Remote Desktop Users group using the net localgroup command.

System Owner/User Discovery (T1033): This scenario executes a batch script with the query user and whoami commands to retrieve information about users logged on the system.

System Network Configuration Discovery: Internet Connection Discovery (T1016.001): This scenario executes the certutil utility to try and download a file from a website and save it to a temporary directory.

Peripheral Device Discovery (T1120): This scenario leverages Windows Management Instrumentation (WMI) running the command printer GET Caption, Name, DeviceID, DriverName, PortName /FORMAT:list to identify configured networked printers within the environment.

Device Driver Discovery (T1652): This scenario executes the driverquery Windows command to obtain details about device drivers, including their type and installation date.

Lateral Movement

Consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain.

Remote Services: Remote Desktop Protocol (T1021.001): This scenario attempts to move laterally within a network using the Remote Desktop Protocol (RDP) protocol.

Impact

Consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes.

Inhibit System Recovery (T1490): This scenario executes the vssadmin.exe utility to delete a recent Volume Shadow Copy created by the assessment template.

Data Encrypted for Impact (T1486): This scenario performs the file encryption routines used by common ransomware families. Files matching an extension list are identified and encrypted in place using similar encryption algorithms as used by Medusa Ransomware.

Opportunities to Expand Emulation Capabilities

In addition to the released assessment template, AttackIQ recommends the following existing scenarios to extend the emulation of the capabilities exhibited in this advisory.

Add Local User to Local Group: This scenario adds a local user to the specified local group using the net localgroup command.

Open Ports Checker: This scenario performs a scan of the local network using nmap searching for any remotely accessible systems. This scenario can be configured to use the same ports mentioned on the CISA advisory: ports 21, 22, 23, 80, 115, 443, 1443, 3050, 3228, 3306, 3389.

Lateral Movement Through PAExec: This scenario simulates lateral movement within a network using PAExec, an open-source version of PSExec.

Domain Controller Remote System Discovery via Powershell Script: This scenario executes the Get-ADComputer Powershell cmdlet to get the list of Active Directory computers, showing the name, hostname and installed operating system. The scenario should only be run in a Domain Controller.

Detection and Mitigation Opportunities

Given the number of different techniques being utilized by this threat, it can be difficult to know which to prioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated in our scenarios before moving on to the remaining techniques.

1. Review CISA’s Patching and Detection Recommendations:

CISA has provided a significant number of recommendations for the best ways to defend yourself from these and similar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the goal of adapting them to your environment first to determine if you have any existing impact before reviewing the assessment results.

2. Inhibit System Recovery (T1490):

Adversaries often delete Volume Shadow Copies to prevent the possibility of restoring files back to their original state. This is a common technique used by ransomware as it prevents the recovery of files once the ransomware encryption routine successfully completes execution.

2a. Detection

Detecting deletion of Volume Shadow Copies is usually the first step that occurs and can be detected by looking at the command line activity

Process Name == (cmd.exe OR powershell.exe)
Command Line CONTAINS (“vssadmin” AND “Delete Shadows”)

2b. Mitigation

MITRE ATT&CK has the following mitigation recommendations for Inhibit System Recovery

3. OS Credential Dumping: LSASS Memory (T1003.001):

Adversaries may attempt to extract user and credential information from the Local Security Authority Subsystem Service (LSASS) process.

3a. Detection

Search for executions of comsvcs that attempt to access the LSASS process.

Process Name == (comsvcs)
Command Line CONTAINS (‘lsass’)

3b. Mitigation

MITRE ATT&CK recommends the following mitigation recommendations:

Wrap Up

In summary, this assessment template will evaluate security and incident response processes and support the improvement of your security control posture against the behaviors exhibited by Medusa ransomware. With data generated from continuous testing and the use of this assessment template, you can focus your teams on achieving key security outcomes, adjust your security controls, and work to elevate your total security program effectiveness against a known and dangerous threat.

AttackIQ, the leading provider of Adversarial Exposure Validation (AEV) solutions, is trusted by top organizations worldwide to validate security controls in real time. By emulating real-world adversary behavior, AttackIQ closes the gap between knowing about a vulnerability and understanding its true risk. AttackIQ’s AEV platform aligns with the Continuous Threat Exposure Management (CTEM) framework, enabling a structured, risk-based approach to ongoing security assessment and improvement. The company is committed to supporting its MSSP partners with a Flexible Preactive Partner Program that provides turn-key solutions, empowering them to elevate client security. AttackIQ is passionate about giving back to the cybersecurity community through its free award-winning AttackIQ Academy and founding research partnership with MITRE Center for Threat-Informed Defense.