Regional Spike in Medusa Ransomware

ⓘ We are reaching out to let you know there has been a sharp rise in Vadir infostealer infections globally, posing a growing threat to your data.
Advisory Overview


Advisory Type Technical
Author Etienne Bowleg
Date 16 September 2025

We have observed an increase in ransomware attacks in our region attributed to the Medusa group, one of the most active and aggressive ransomware campaigns currently in operation. Medusa employs a double-extortion technique, where data is both encrypted (data encryption) and exfiltrated (data theft) to pressure victims into making ransom payments The group commonly leverages phishing emails, malicious links, and exploitation of unpatched software, operating systems, and firmware to compromise systems. In some cases, they have also abused Remote Management and Monitoring (RMM) software, taking advantage of known vulnerabilities to gain unauthorized access.

Medusa primarily targets critical infrastructure and SMEs (Small and Medium-sized Enterprises) and in healthcare, insurance, education, and manufacturing. Ransoms are usually demanded in cryptocurrency to evade tracking by investigators.

What’s Happening


Affected Systems
  • Primarily affects Windows systems, though other operating systems may be at risk if vulnerable software or misconfigurations are present.
  • Outdated or unpatched RMM software such as SimpleHelp, ScreenConnect, PDQ Deploy, Atera, AnyDesk and eHorus.
What this Means The Medusa group can gain access to systems by exploiting vulnerabilities in commonly used Remote Management and Monitoring (RMM) tools. Users and administrators should exercise caution with unexpected or suspicious emails and links, as this group frequently relies on phishing campaigns and malicious links to deliver ransomware.
What to Look For


Signs You May Be at Risk
  • If any devices in your system are running outdated software, firmware or if the operating system is not up to date, then you are at risk of your system being targeted and exploited. Some SME’s are at a higher risk than others. If any of your systems use RMM software, you have an increased risk of being targeted.
Signs You May Be Affected
  • Processes and services unexpectedly terminate or stop.
  • The boot manager file (bootmgr) file has been renamed.
  • Suspicious logins or unauthorized access to systems may be observed.
  • Suspicious emails may contain keywords such as “medusa” or “mds” in the sender address.
  • Files encrypted with “meduza51” or “medusa” file extension.
  • If you identitify any of the following files on your systems:
          1. !!!READ_MEMEDUSA!!!
          2. .txt openrdp.bat
          3. pu.exe
What to Do


Prevention
  • Update systems regularly and make sure to use the latest patches available for your operating system, software and firmware.
  • Implement strict MFA to prevent unauthorized access to services.
  • Disable non-essential command-line access.
  • Develop and establish a robust incident response plan to allow your organization to respond promptly and efficiently to ransomware attacks.
  • Educate employees on secure and efficient computer and email use.
  • Improve email security.
Mitigation
  • Implement network segmentation to restrict lateral movement and impact of the breach.
  • Implement strict MFA to prevent unauthorized access to services.
  • Keep offline backups of critical data, this will enable a more efficient recovery and limit data loss and downtime.
  • Utilize a zero-trust architecture to minimize unauthorized access.
  • Only allow employees to access your system remotely if they are using a VPN with MFA.
  • Contact CIRT-BS for assistance.
Official Information


Should you require additional information or further support, submit a report on our website or contact us at [email protected].

 

Scroll to Top
Skip to content