Medusa Ransomware: Indicators of Compromise, Victims & Defense

fingerprintDossier

Active since: June 2021
Origin / attribution: Unclear, Russian-speaking affiliates
Known aliases: MedusaLocker (unrelated), Medusa Blog
Common initial access: Initial-access brokers, Fortinet and Citrix n-days, phishing
TTPs & tradecraft: Public victim-naming auctions, ESXi-capable encryptor, PsExec/Mimikatz.
Notes: CISA AA25-071A published in 2025 with detection hunts.

publicTop countries hit

United States256

United Kingdom37

Canada36

Italy14

Australia13

Brazil11

France9

India8

factoryTop sectors targeted

Business Services62

Not Found59

Healthcare43

Manufacturing35

Technology32

Government17

Agriculture and Food Production16

Education16

historyRecent named victims

Balloons Everywhere

US · Consumer Services · 14 Feb 2026

South Hays Fire Department

US · Public Sector · 14 Feb 2026

Comune di Battipaglia

IT · Public Sector · 14 Feb 2026

Grandview Family Medicine

US · Healthcare · 14 Feb 2026

MESA Products

US · Manufacturing · 14 Feb 2026

Resource Corporation of America

US · Not Found · 04 Jan 2026

JBS

US · Healthcare · 28 Dec 2025

Thunder Bay Counselling

CA · Public Sector · 19 Dec 2025

Sampoerna Agro

ID · Agriculture and Food Production · 19 Dec 2025

Shamrock Technologies

US · Technology · 19 Dec 2025

Callipo Group

IT · Agriculture and Food Production · 19 Dec 2025

Universidade Municipal de São Caetano

BR · Education · 30 Nov 2025

WR Comercial

BR · Not Found · 30 Nov 2025

Concord Academy

US · Education · 30 Nov 2025

General Distributing

Transportation/Logistics · 21 Nov 2025

Sourced from open leak-site monitoring · Generated 20 Apr 2026

shield_lockMedusa defense checklist

check_circleEnforce phishing-resistant MFA on every VPN, remote desktop, email, and SaaS admin account.

check_circlePatch perimeter gear (VPN, firewall, file-transfer, hypervisor) within 72 hours of vendor advisories.

check_circleSegment ESXi management from domain accounts; disable vSphere SSH unless in use.

check_circleTier admin credentials — no shared local-admin, rotate break-glass accounts monthly.

check_circleDeploy EDR across servers & DCs; alert on Rclone, WinSCP, MegaCmd, and suspicious PowerShell.

check_circleImmutable, offline backups tested quarterly with measured RTO/RPO.

check_circleBlock outbound on unused ports; restrict egress to vetted CDNs and update servers.

check_circleHunt for dropped vulnerable drivers used to kill EDR (BYOVD patterns).

check_circleRun an annual tabletop modelled on Medusa's latest playbook.

check_circleHave an IR retainer identified before you need it.

Worried Medusa will land on you?

We run focused VAPT, ransomware-readiness reviews, and purple-team exercises tuned to the playbook this crew actually uses.

Book a scope call