EXPLORE
Sign In
← Back to Actors

Medusa Group

Medusa Group

[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” (Citation: CISA Medusa Group Medusa Ransomware March 2025) (Citation: Broadcom Medusa Ransomware Medusa Group March 2025) [Medusa Group](https://attack.mitre.org/groups/G1051) employs living-o...

57
Techniques
52
Covered
5
Gaps
91%
Coverage
Coverage52/57

GAPS (5)

T1585.001Social Media AccountsT1585.002Email AccountsT1608.002Upload ToolT1650Acquire AccessT1652Device Driver Discovery

COVERED (52)

T1003.001LSASS Memory105 det.T1003.003NTDS34 det.T1016System Network Configuration Discovery35 det.T1018Remote System Discovery46 det.T1021.001Remote Desktop Protocol51 det.T1027.002Software Packing1 det.T1027.010Command Obfuscation31 det.T1033System Owner/User Discovery59 det.T1046Network Service Discovery49 det.T1047Windows Management Instrumentation85 det.T1057Process Discovery18 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1069.002Domain Groups42 det.T1070.003Clear Command History14 det.T1070.004File Deletion40 det.T1071.001Web Protocols74 det.T1072Software Deployment Tools13 det.T1078Valid Accounts252 det.T1082System Information Discovery80 det.T1083File and Directory Discovery48 det.T1087.001Local Account32 det.T1090.003Multi-hop Proxy8 det.T1105Ingress Tool Transfer170 det.T1106Native API27 det.T1112Modify Registry197 det.T1135Network Share Discovery16 det.T1136.002Domain Account9 det.T1190Exploit Public-Facing Application208 det.T1218.014MMC10 det.T1219Remote Access Tools33 det.T1486Data Encrypted for Impact339 det.T1489Service Stop54 det.T1490Inhibit System Recovery56 det.T1505.003Web Shell57 det.T1518.001Security Software Discovery8 det.T1529System Shutdown/Reboot18 det.T1543.003Windows Service79 det.T1548.002Bypass User Account Control83 det.T1553.002Code Signing3 det.T1559.001Component Object Model16 det.T1562.001Disable or Modify Tools300 det.T1562.003Impair Command History Logging3 det.T1562.004Disable or Modify System Firewall45 det.T1564.003Hidden Window11 det.T1567.002Exfiltration to Cloud Storage27 det.T1569.002Service Execution63 det.T1570Lateral Tool Transfer20 det.T1573.002Asymmetric Cryptography6 det.T1583.006Web Services1 det.T1588.002Tool13 det.T1657Financial Theft12 det.