Skip to main content

// group profile

medusa

Active

Medusa is a ransomware-as-a-service operation active since June 2021 that has targeted over 300 victims across critical infrastructure sectors including healthcare, education, legal, and manufacturing using double-extortion, with attacks surging 42% between 2023 and 2024 and a formal CISA advisory issued in early 2025.

517

Victims

9

Sites

Victims (517)

Live

Balloons Everywhere

medusaUnited States

South Hays Fire Department

medusaUnited States

Comune di Battipaglia

Grandview Family Medicine

medusaUnited States

MESA Products

medusaUnited States

Resource Corporation of America

medusaUnited States

JBS

medusaUnited States

Thunder Bay Counselling

medusaCanada

Sampoerna Agro

medusaIndonesia

Shamrock Technologies

medusaUnited States

Callipo Group

Universidade Municipal de São Caetano

medusaBrazil

WR Comercial

medusaBrazil

Concord Academy

medusaUnited States

General Distributing

medusaUnited States

FDC Interiors

medusaUnited Arab Emirates

MFE Formwork Technology

medusaSingapore

Nationwide Legal LLC

medusaUnited States

Atrium Living Centers

medusaUnited States

Simon Property Group

medusaUnited States

Clackamas Community College

medusaUnited States

LaRosa’s Pizzeria

medusaUnited States

Oscars Group

medusaAustralia

PT Kalimantan Prima Persada

medusaIndonesia

Adore Children and Family Services

medusaUnited States

Known Leak Sites

medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd.onionChat

hupxs7ps7md24kpz4lwsbra64abgxjx3pcc2wuca5ibawf2g5hlpfyqd.onionDLS

dlmfciajg5s4vliyo5dhs5jyzhi2xr2fnkebul46lpf4xudtqiue4nid.onionDLS

kyfiw76eol6ph2mq7pi5e5tdvce37bicddhai62qhdc5ja6jdchz4qqd.onionDLS

cx5u7zxbvrfyoj6ughw76oa264ucuuizmmzypwum6ear7pct4yc723qd.onionDLS

xfv4jzckytb4g3ckwemcny3ihv4i5p4lqzdpi624cxisu35my5fwi5qd.onionDLS

45.9.148.39DLS

medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onionDLS

s7lmmhlt3iwnwirxvgjidl6omcblvw2rg75txjfduy73kx5brlmiulad.onionDLS

Top Targeted Countries

United States262

United Kingdom38

Canada35

Italy14

Australia14

MITRE ATT&CK

T1486Data Encrypted for Impact

AES-256 encryption with RSA key wrapping

T1490Inhibit System Recovery

Deletes shadow copies via vssadmin and wmic

T1489Service Stop

Stops security and backup services

T1021.001Remote Desktop Protocol

Brute-forces RDP for initial access

T1078Valid Accounts

Uses purchased or brute-forced credentials

Activity

Total victims517

Countries affected50

Last seenNo recent activity

Explore

Ransomware NewsRelated articles

Check DecryptorsFree tools

Payment DataRansom tracking

MITRE ATT&CKTechniques

Live MapGlobal view

Source: ransomware.live|Refreshes every 5 min