Medusa Group

Active

Also known as: Medusa Group

🌍

Other

Active Since

2025

MITRE ID

G1051

Techniques

[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” (Citation: CISA Medusa Group Medusa Ransomware March 2025) (Citation: Broadcom Medusa Ransomware Medusa Group March 2025) [Medusa Group](https://attack.mitre.org/groups/G1051) employs living-off-the-land techniques, frequently leveraging publicly available tools and common remote management software to conduct operations. The group engages in double extortion tactics, exfiltrating data prior to encryption and threatening to publish stolen information if ransom demands are not met. (Citation: Security Scorecard Medusa Ransomware January 2024) For initial access, [Medusa Group](https://attack.mitre.org/groups/G1051) has exploited publicly known vulnerabilities, conducted phishing campaigns, and used credentials or access purchased from Initial Access Brokers (IABs). The group is opportunistic and has targeted a wide range of sectors globally. (Citation: Intel471 Medusa Ransomware May 2025)

MITRE ATT&CK Techniques

Recon0

Resource6

T1650Acquire Access

T1585.002Email Accounts

T1585.001Social Media Accounts

T1588.002Tool

T1608.002Upload Tool

T1583.006Web Services

Initial1

T1190Exploit Public-Facing Application

Exec7

T1559.001Component Object Model

T1106Native API

T1059.001PowerShell

T1569.002Service Execution

T1072Software Deployment Tools

T1059.003Windows Command Shell

T1047Windows Management Instrumentation

Persist3

T1136.002Domain Account

T1505.003Web Shell

T1543.003Windows Service

PrivEsc1

T1548.002Bypass User Account Control

Defense12

T1070.003Clear Command History

T1553.002Code Signing

T1027.010Command Obfuscation

T1562.004Disable or Modify System Firewall

T1562.001Disable or Modify Tools

T1070.004File Deletion

T1564.003Hidden Window

T1562.003Impair Command History Logging

+4 more

Creds2

T1003.001LSASS Memory

T1003.003NTDS

Discovery12

T1652Device Driver Discovery

T1069.002Domain Groups

T1083File and Directory Discovery

T1087.001Local Account

T1046Network Service Discovery

T1135Network Share Discovery

T1057Process Discovery

T1018Remote System Discovery

+4 more

Lateral2

T1570Lateral Tool Transfer

T1021.001Remote Desktop Protocol

Collect0

C25

T1573.002Asymmetric Cryptography

T1105Ingress Tool Transfer

T1090.003Multi-hop Proxy

T1219Remote Access Tools

T1071.001Web Protocols

Exfil1

T1567.002Exfiltration to Cloud Storage

Impact5

T1486Data Encrypted for Impact

T1657Financial Theft

T1490Inhibit System Recovery

T1489Service Stop

T1529System Shutdown/Reboot

Known Victims

live · just now

No victims recorded in ransomware.live for this group.