← All Threat Actors
Threat Actor Profile

Medusa Group

G1051 Medusa Actors MedusaLocker Spearwing Storm-1175
▲ High Threat
[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” (Citation: CISA Medusa Group Medusa Ransomware March 2025) (Citation: Broadcom Medusa Ransomware Medusa Group March 2025) [Medusa Group](https://attack.mitre.org/groups/G1051) employs living-off-the-land techniques, frequently leveraging publicly available tools and common remote management software to conduct operations. The group engages in double extortion tactics, exfiltrating data prior to encryption and threatening to publish stolen information if ransom demands are not met. (Citation: Security Scorecard Medusa Ransomware January 2024) For initial access, [Medusa Group](https://attack.mitre.org/groups/G1051) has exploited publicly known vulnerabilities, conducted phishing campaigns, and used credentials or access purchased from Initial Access Brokers (IABs). The group is opportunistic and has targeted a wide range of sectors globally. (Citation: Intel471 Medusa Ransomware May 2025)
Origin

Known TTPs

Inhibit System Recovery
Windows Management Instrumentation
Lateral Tool Transfer
Windows Service
Service Stop
Native API
Web Services
Upload Tool
Command Obfuscation
File and Directory Discovery
Modify Registry
Tool
Local Account
Social Media Accounts
Exfiltration to Cloud Storage
Clear Command History
Acquire Access
Web Protocols
Disable or Modify System Firewall
Hidden Window
Network Share Discovery
Multi-hop Proxy
Exploit Public-Facing Application
MMC
Email Accounts
Valid Accounts
Ingress Tool Transfer
Process Discovery
Component Object Model
Remote Access Tools
NTDS
Remote System Discovery
Service Execution
LSASS Memory
Asymmetric Cryptography
Data Encrypted for Impact
PowerShell
Domain Account
Financial Theft
Device Driver Discovery
Prevent Command History Logging
Software Packing
File Deletion
Windows Command Shell
Domain Groups
Code Signing
Web Shell
System Shutdown/Reboot
Security Software Discovery
System Network Configuration Discovery
Disable or Modify Tools
Network Service Discovery
System Owner/User Discovery
System Information Discovery
Remote Desktop Protocol
Software Deployment Tools
Bypass User Account Control

External Resources

CISA Advisories ↗

Related Intelligence

Hacking the mainframe…

LINK COPIED TO CLIPBOARD