- Combat Medusa Ransomware: Learn how Trustwave MailMarshal's secure email gateway effectively blocks phishing attacks, the primary entry point for this dangerous threat.
- Strengthen Your Email Security: Discover the layered protection and advanced threat detection capabilities of our managed email security services, and prevent costly data breaches.
- Proactive Phishing Defense: Understand how Trustwave MailMarshal's real-time threat intelligence and low false positive rate provide robust protection against evolving cyber threats.
In March 2025, several US federal agencies issued a joint warning on the phishing-based, ransomware-as-a-service (RaaS) threat group Medusa and are encouraging organizations to implement mitigations to reduce the likelihood of being impacted by an attack.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) advisory noted the group and its affiliates have successfully infiltrated more than 300 victims since its inception in June 2021.
The threat group's target list is expansive and includes critical infrastructure sectors within the medical, education, legal, insurance, technology, and manufacturing sectors.
Medusa's Origin Story
The agencies noted Medusa, unrelated to the MedusaLocker, started life as a traditional ransomware group, encrypting data and demanding a ransom. But over time they’ve developed an affiliate program and have fully morphed into a RaaS group. That being said, Medusa keeps certain key operations in-house, such as ransom negotiations, where they are centrally controlled by the developers themselves.
The Medusa affiliate methodology employs the double-extortion model, where the victim's data is encrypted, and the attacker threatens to publicly release exfiltrated data if a ransom is not paid.
Medusa Likes to Phish
Medusa created its affiliate network by recruiting initial access brokers (IAB) on cybercriminal forums. Essentially, Medusa pays an IAB to gain access to a target. Its fee rate ranges widely from $100 to $1 million, and by accepting payment, the IAB agrees to work with Medusa exclusively
The advisory noted Medusa affiliates primarily rely on phishing attacks to gain initial access through stolen credentials, with a secondary reliance on exploiting unpatched vulnerabilities. Some of the more popular avenues used are:
Once established, the advisory noted, Medusa actors use living off the land (LOTL) techniques and legitimate tools, such as Advanced IP Scanner and SoftPerfect Network Scanner for initial user, system, and network enumeration. The RaaS and its affiliates then use a variety of methodologies including offensive, evasion, lateral movement, execution, and exfiltration. More details on the specifics of how they use these methods are available in the advisory.
A Ransomware Scenario
Succumbing to a ransomware demand is, at best, a double-edged sword. The attacker may, as promised, decrypt the data after the ransom is paid; the attacker may keep their word and not publicize the stolen information. However, as the FBI showed, the threat group may also turn around and demand even more money from the victim.
Medusa RaaS uses a double extortion model, forcing victims to pay not only to decrypt their files but also to prevent the public release of stolen data. According to CISA, the group's ransom note instructs victims to initiate contact within 48 hours using either a live chat on a Tor browser or Tox, an end-to-end encrypted messaging platform.
If victims fail to respond, Medusa actors may escalate their efforts by contacting them directly via phone or email, the advisory said. The group also operates a .onion data leak site that displays victims' information alongside countdown timers threatening the release of stolen data. Medusa publishes ransom demands on the site, with direct links to Medusa-affiliated cryptocurrency wallets. Additionally, Medusa gives victims the option to extend the countdown by paying $10,000 in cryptocurrency per day.
While there are proponents on each side of the "pay or don't pay" argument, the FBI and law enforcement do not condone paying. One FBI investigation shows why they maintain that position.
In the investigation, a victim who had already paid the ransom was approached by another Medusa actor, claiming the initial negotiator had stolen the funds. The affiliate then asked the victim to pay half of the ransom again to receive the "true decryptor", suggesting the possibility of a triple extortion scheme.
How Trustwave MailMarshal Protects Against Medusa's Attacks
Trustwave MailMarshal is a powerful email security gateway and email security service designed to defend against sophisticated cyber threats like Medusa ransomware. Here's how it helps protect organizations:
- Advanced Threat Detection: Trustwave MailMarshal uses AI and the machine learning tool MailMarshal PageML to detect and block phishing attempts, which are the primary methods Medusa affiliates use to gain initial access. This includes heuristic analysis to detect zero-day phishing attempts. By identifying and stopping these threats before they reach users' inboxes, MailMarshal significantly reduces the risk of credential theft and subsequent ransomware attacks.
- Layered Security: The platform provides over 20 layers of protection, capturing more than 99.9% of email threats. This comprehensive approach ensures that even the most sophisticated phishing and malware attempts are detected and neutralized.
- Real-Time Threat Intelligence: Trustwave SpiderLabs security teams continuously update MailMarshal with the latest threat intelligence. This proactive approach ensures that the platform is always equipped to handle emerging threats, including new tactics employed by Medusa and its affiliates.
- Low False Positive Rate: With a false positive rate of less than 0.01% MailMarshal ensures that legitimate emails are not mistakenly flagged as threats. This efficiency helps maintain productivity while keeping the organization secure.
- Integration with Existing Security Systems: Trustwave MailMarshal complements other managed email security measures, such as Microsoft Defender for Office 365, to provide a robust defense against email-based threats. This integration helps create a multi-layered security environment that is more resilient to attacks.
By implementing Trustwave MailMarshal, organizations can significantly enhance their email security posture, making it much harder for Medusa and similar ransomware groups to succeed in their attacks.
