The Medusa ransomware group is a well-documented and active ransomware-as-a-service (RaaS) operation that emerged in early 2023. The group targets mid- to large-sized organizations across a wide range of sectors, including healthcare, education, manufacturing, and professional services, with attacks observed globally.

Medusa is known for its aggressive double extortion strategy, exfiltrating sensitive data before encrypting systems and threatening to publish stolen information on its leak site if ransom demands are not met. Initial access is frequently achieved through phishing campaigns, compromised credentials, and exploitation of exposed or unpatched services, followed by rapid lateral movement using legitimate administrative tools.

Technically, Medusa employs strong encryption, actively attempts to disable security tools and backups, and demonstrates hands-on-keyboard activity during intrusions.