EXPLORE
Sign In
← Back to Actors

Medusa Group

Medusa Group

[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” (Citation: CISA Medusa Group Medusa Ransomware March 2025) (Citation: Broadcom Medusa Ransomware Medusa Group March 2025) [Medusa Group](https://attack.mitre.org/groups/G1051) employs living-o...

60
Techniques
56
Covered
4
Gaps
93%
Coverage
Coverage56/60

GAPS (4)

T1585.001Social Media AccountsT1585.002Email AccountsT1650Acquire AccessT1652Device Driver Discovery

COVERED (56)

T1003.001LSASS Memory111 det.T1003.003NTDS36 det.T1016System Network Configuration Discovery39 det.T1018Remote System Discovery50 det.T1021.001Remote Desktop Protocol53 det.T1027.002Software Packing1 det.T1027.010Command Obfuscation38 det.T1033System Owner/User Discovery61 det.T1046Network Service Discovery51 det.T1047Windows Management Instrumentation87 det.T1057Process Discovery20 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1069.002Domain Groups44 det.T1070.003Clear Command History15 det.T1070.004File Deletion42 det.T1071.001Web Protocols80 det.T1072Software Deployment Tools13 det.T1078Valid Accounts280 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1087.001Local Account33 det.T1090.003Multi-hop Proxy9 det.T1105Ingress Tool Transfer183 det.T1106Native API29 det.T1112Modify Registry203 det.T1135Network Share Discovery20 det.T1136.002Domain Account11 det.T1190Exploit Public-Facing Application216 det.T1218.014MMC12 det.T1219Remote Access Tools40 det.T1486Data Encrypted for Impact360 det.T1489Service Stop57 det.T1490Inhibit System Recovery59 det.T1505.003Web Shell63 det.T1518.001Security Software Discovery10 det.T1529System Shutdown/Reboot18 det.T1543.003Windows Service79 det.T1548.002Bypass User Account Control84 det.T1553.002Code Signing3 det.T1559.001Component Object Model17 det.T1562.001Disable or Modify Tools311 det.T1562.003Impair Command History Logging3 det.T1562.004Disable or Modify System Firewall48 det.T1564.003Hidden Window11 det.T1567.002Exfiltration to Cloud Storage29 det.T1569.002Service Execution64 det.T1570Lateral Tool Transfer22 det.T1573.002Asymmetric Cryptography6 det.T1583.006Web Services1 det.T1588.002Tool13 det.T1608.002Upload Tool1 det.T1657Financial Theft14 det.T1685Disable or Modify Tools278 det.T1686Disable or Modify System Firewall19 det.T1690Prevent Command History Logging3 det.