Back to Intelligence

MEDUSALOCKER: 15-Victim Surge Targeting Education & Business Services — CISA KEV Exploitation Analysis

SA
Security Arsenal Team
May 5, 2026
6 min read

MEDUSALOCKER operates as a Ransomware-as-a-Service (RaaS) entity, distinguishing itself from the similarly named "Medusa" gang. Known for aggressive double-extortion tactics, they encrypt victim data and threaten to leak sensitive files on their TOR leak site if demands are unmet.

  • Ransom Model: RaaS (Affiliate-based).
  • Ransom Demands: Typically range from $500,000 to several million USD, depending on victim revenue.
  • Initial Access: Historically relies on compromised credentials (phishing), exposed RDP/VPN services, and exploitation of public-facing applications (e.g., Exchange, firewalls).
  • TTPs: Utilizes tools like Cobalt Strike for C2, PsExec for lateral movement, and Rclone or custom scripts for rapid data exfiltration prior to encryption.
  • Dwell Time: Variable, but recent campaigns show short dwell times (1-3 days) if initial access provides high privileges immediately.

Current Campaign Analysis

Campaign Dates: 2026-05-05 Victim Count: 15 confirmed postings

Sector Targeting: MEDUSALOCKER has demonstrated a distinct pivot towards the Education and Consumer Services sectors in this wave. Significant targets include:

  • Education: Desert Christian Schools (US), Académie de Montpellier (FR), Colegio María Inmaculada (CR).
  • Consumer Services: Elken Sdn Bhd (MY), Bandeirante Supermercados (BR).
  • Logistics/Agro: CEAGESP (BR) — a critical logistics hub for food distribution.

Geographic Spread: The campaign is highly globalized, impacting victims in the US (2), UK (3), Brazil (2), Malaysia, Italy, Israel, France, and Costa Rica. This suggests a broad, opportunity-based scanning strategy rather than geo-political targeting.

CVE Exploitation Vectors: Based on the active exploitation of CISA KEVs listed in our telemetry, this campaign likely leverages:

  1. CVE-2025-52691 / CVE-2026-23760 (SmarterTools SmarterMail): Given the high volume of business and service providers, exploitation of email gateways remains a probable initial access vector for credential harvesting.
  2. CVE-2023-21529 (Microsoft Exchange): A perennial favorite for ransomware affiliates to gain a foothold in corporate environments.

Detection Engineering

SIGMA Rules

YAML
title: Potential MedusaLocker Affiliate Activity - SmarterMail Exploit
id: 6a5b4c3d-2e1f-4a5b-8c9d-0e1f2a3b4c5d
description: Detects potential exploitation of SmarterMail vulnerabilities (CVE-2025-52691) often used by MedusaLocker affiliates for initial access via unrestricted file upload.
status: experimental
author: Security Arsenal
date: 2026/05/05
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: webserver
detection:
    selection:
        c-uri|contains:
            - '/Services/MailService.asmx'
            - '/UserInterface/Html/'
        cs-method: POST
    filter:
        sc-status: 200
    condition: selection and filter
falsepositives:
    - Legitimate administrative access
level: high

---
title: MedusaLocker Lateral Movement via PsExec
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects the use of PsExec for lateral movement, a common TTP observed in MedusaLocker operations to spread across the network.
status: experimental
author: Security Arsenal
date: 2026/05/05
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 5145
        ShareName|contains: 'IPC$'
        RelativeTargetName|contains: 'PSEXESVC'
    condition: selection
falsepositives:
    - Legitimate system administration
level: high

---
title: Suspicious PowerShell Encoded Command - MedusaLocker
id: 9f8e7d6c-5b4a-3f2e-1d0c-9b8a7f6e5d4c
description: Detects highly obfuscated PowerShell commands often used by MedusaLocker to disable security tools, kill AV processes, or execute encryption payloads.
status: experimental
author: Security Arsenal
date: 2026/05/05
logsource:
    product: windows
    service: powershell
detection:
    selection:
        EventID: 4103 or 4104
        ContextInfo|contains:
            - 'FromBase64String'
            - 'IEX'
            - 'Invoke-Expression'
        filter:
            ContextInfo|contains: 'ScriptBlock' 
    condition: selection and not filter
falsepositives:
    - Legitimate scripts using encoding
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for MedusaLocker Affiliate TTPs: Lateral Movement and Data Staging
let TimeRange = ago(7d);
DeviceProcessEvents
| where Timestamp >= TimeRange
// Look for common tools used by affiliates
| where FileName in~ ("psexec.exe", "psexec64.exe", "procdump.exe", "rclone.exe", "mimikatz.exe", "accesschk.exe")
// Or PowerShell with suspicious flags
| or (InitiatingProcessFileName =~ "powershell.exe" and ProcessCommandLine contains " -enc ")
| extend HostName = DeviceName
| project Timestamp, HostName, FileName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc

PowerShell Response Script

PowerShell
# MedusaLocker Rapid Response Hardening Script
# Usage: Run as Administrator on suspected endpoints or domain controllers

Write-Host "[+] Initiating MedusaLocker Response Hardening..." -ForegroundColor Cyan

# 1. Disable RDP if not strictly necessary (Immediate hardening)
$RDPProperty = Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -ErrorAction SilentlyContinue
if ($RDPProperty.fDenyTSConnections -eq 0) {
    Write-Host "[!] WARNING: RDP is currently ENABLED. Disabling..." -ForegroundColor Red
    Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name 'fDenyTSConnections' -Value 1
    Write-Host "[+] RDP Disabled." -ForegroundColor Green
} else {
    Write-Host "[+] RDP is already disabled." -ForegroundColor Green
}

# 2. Hunt for Scheduled Tasks created/modified in last 7 days (Persistence)
Write-Host "\n[+] Checking for suspicious Scheduled Tasks created in the last 7 days..." -ForegroundColor Cyan
$DateCutoff = (Get-Date).AddDays(-7)
$SuspiciousTasks = Get-ScheduledTask | Where-Object { $_.Date -gt $DateCutoff }
if ($SuspiciousTasks) {
    $SuspiciousTasks | Select-Object TaskName, Date, Author, State | Format-Table -AutoSize
} else {
    Write-Host "No tasks found matching criteria." -ForegroundColor Green
}

# 3. Check Volume Shadow Copy Service (VSS) Health
Write-Host "\n[+] Checking Volume Shadow Copy Storage usage..." -ForegroundColor Cyan
try {
    vssadmin list shadowstorage /for=c: | Select-String "Used"
} catch {
    Write-Host "Could not query VSS." -ForegroundColor Yellow
}

Write-Host "\n[+] Script Complete." -ForegroundColor Cyan


# Incident Response Priorities

**T-Minus Detection Checklist (Pre-Encryption)**:
1.  **Edge Device Logs**: Immediate review of Exchange, SmarterMail, and Cisco FMC logs for the CVEs listed above.
2.  **Large File Transfers**: Hunt for outbound traffic anomalies (uploads to Mega.nz, Dropbox, or FTP) involving Rclone or WinSCP.
3.  **Process Anomalies**: Monitor for `vssadmin.exe delete shadows` or `wbadmin.exe delete catalog`.

**Critical Assets for Exfiltration**:
- Student records (Education sector)
- Customer PII/Financial data (Consumer Services)
- Legal/Contract documents (Business Services)

**Containment Actions**:
1.  **Isolate**: Disconnect infected VLANs from the core network immediately.
2.  **Reset Credentials**: Force reset of privileged admin accounts and service accounts (especially Exchange and email admins).
3.  **Block IP Addresses**: Block Tor exit nodes and known C2 IPs associated with MedusaLocker at the perimeter firewall.

# Hardening Recommendations

**Immediate (24 Hours)**:
- **Patch**: Apply updates for CVE-2023-21529 (Exchange) and CVE-2025-52691 (SmarterMail) immediately.
- **Disable RDP**: Ensure RDP is not exposed to the internet and enforce MFA for internal access.
- **Phishing Controls**: Deploy strict DMARC (p=reject) policies to prevent email spoofing used for credential harvesting.

**Short-Term (2 Weeks)**:
- **Network Segmentation**: Isolate critical backup servers from the general network to prevent double-extortion attempts.
- **EDR Tuning**: Ensure EDR policies are configured to block unexecuted scripts from WinWord/Excel and unsigned binaries like PsExec.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebransomware-gangmedusalockerransomwareeducation-sectorcisa-kevdata-exfiltrationlateral-movement

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action