Trusted Design

Medusa Group

G1051 · MITRE Pageへのリンク

脅威アクターの詳細

[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” (Citation: CISA Medusa Group Medusa Ransomware March 2025) (Citation: Broadcom Medusa Ransomware Medusa Group March 2025) [Medusa Group](https://attack.mitre.org/groups/G1051) employs living-off-the-land techniques, frequently leveraging publicly available tools and common remote management software to conduct operations. The group engages in double extortion tactics, exfiltrating data prior to encryption and threatening to publish stolen information if ransom demands are not met. (Citation: Security Scorecard Medusa Ransomware January 2024) For initial access, [Medusa Group](https://attack.mitre.org/groups/G1051) has exploited publicly known vulnerabilities, conducted phishing campaigns, and used credentials or access purchased from Initial Access Brokers (IABs). The group is opportunistic and has targeted a wide range of sectors globally. (Citation: Intel471 Medusa Ransomware May 2025)

別名・別称

Medusa Group

利用した攻撃手法

• T1047 - Windows Management Instrumentation
• T1033 - System Owner/User Discovery
• T1548.002 - Bypass User Account Control
• T1489 - Service Stop
• T1652 - Device Driver Discovery
• T1087.001 - Local Account
• T1543.003 - Windows Service
• T1069.002 - Domain Groups
• T1559.001 - Component Object Model
• T1553.002 - Code Signing
• T1135 - Network Share Discovery
• T1082 - System Information Discovery
• T1106 - Native API
• T1070.003 - Clear Command History
• T1190 - Exploit Public-Facing Application
• T1219 - Remote Access Tools
• T1608.002 - Upload Tool
• T1562.004 - Disable or Modify System Firewall
• T1112 - Modify Registry
• T1505.003 - Web Shell
• T1585.002 - Email Accounts
• T1003.001 - LSASS Memory
• T1016 - System Network Configuration Discovery
• T1136.002 - Domain Account
• T1083 - File and Directory Discovery
• T1657 - Financial Theft
• T1583.006 - Web Services
• T1057 - Process Discovery
• T1562.003 - Impair Command History Logging
• T1072 - Software Deployment Tools
• T1059.001 - PowerShell
• T1588.002 - Tool
• T1090.003 - Multi-hop Proxy
• T1562.001 - Disable or Modify Tools
• T1078 - Valid Accounts
• T1585.001 - Social Media Accounts
• T1486 - Data Encrypted for Impact
• T1573.002 - Asymmetric Cryptography
• T1567.002 - Exfiltration to Cloud Storage
• T1570 - Lateral Tool Transfer
• T1518.001 - Security Software Discovery
• T1564.003 - Hidden Window
• T1059.003 - Windows Command Shell
• T1650 - Acquire Access
• T1027.010 - Command Obfuscation
• T1070.004 - File Deletion
• T1027.002 - Software Packing
• T1071.001 - Web Protocols
• T1018 - Remote System Discovery
• T1046 - Network Service Discovery
• T1105 - Ingress Tool Transfer
• T1021.001 - Remote Desktop Protocol
• T1003.003 - NTDS
• T1569.002 - Service Execution
• T1490 - Inhibit System Recovery
• T1529 - System Shutdown/Reboot
• T1218.014 - MMC

関連するCVE (攻撃手法に関連)

• CVE-2014-4114 (T1569.002)
• CVE-2017-0143 (T1569.002)
• CVE-2013-6282 (T1486)
• CVE-2015-2546 (T1486)
• CVE-2014-4113 (T1529)
• CVE-2015-1701 (T1218.014)
• CVE-2017-0263 (T1486)
• CVE-2015-0057 (T1569.002)
• CVE-2015-2360 (T1529)
• CVE-2008-1436 (T1529)
• CVE-2010-0232 (T1529)
• CVE-2010-4398 (T1529)
• CVE-2017-0001 (T1486)
• CVE-2015-5119 (T1486)
• CVE-2015-5122 (T1018)
• CVE-2017-12149 (T1486)
• CVE-2015-3043 (T1018)
• CVE-2015-3456 (T1486)
• CVE-2015-3090 (T1486)
• CVE-2015-2424 (T1486)
• CVE-2015-5477 (T1650)
• CVE-2014-1761 (T1190)
• CVE-2015-2502 (T1569.002)
• CVE-2012-1889 (T1559.001)
• CVE-2016-1019 (T1486)
• CVE-2015-3628 (T1486)
• CVE-2016-1287 (T1486)
• CVE-2016-2342 (T1046)
• CVE-2016-9494 (T1486)
• CVE-2014-4322 (T1486)
• CVE-2015-3636 (T1529)
• CVE-2015-3105 (T1486)
• CVE-2012-0507 (T1486)
• CVE-2014-8439 (T1046)
• CVE-2010-0188 (T1059.003)
• CVE-2014-1776 (T1486)
• CVE-2012-2539 (T1083)
• CVE-2014-8440 (T1018)
• CVE-2010-1297 (T1059.003)
• CVE-2010-2884 (T1059.003)
• CVE-2014-4148 (T1569.002)
• CVE-2010-2883 (T1046)
• CVE-2013-0634 (T1486)
• CVE-2010-0738 (T1486)
• CVE-2013-0640 (T1059.003)
• CVE-2013-2595 (T1486)
• CVE-2011-0611 (T1059.003)
• CVE-2012-0611 (T1562.001)
• CVE-2015-2419 (T1486)
• CVE-2016-0189 (T1027.010)
• CVE-2025-13335 (T1486)
• CVE-2025-13927 (T1486)
• CVE-2025-13928 (T1486)
• CVE-2025-55184 (T1486)
• CVE-2026-1102 (T1486)
• CVE-2015-1770 (T1569.002)
• CVE-2012-1856 (T1218.014)
• CVE-2014-6332 (T1569.002)
• CVE-2017-0199 (T1569.002)
• CVE-2015-0097 (T1486)
• CVE-2012-0158 (T1218.014)
• CVE-2012-4969 (T1569.002)
• CVE-2013-3906 (T1027.010)
• CVE-2014-6352 (T1569.002)
• CVE-2012-4792 (T1490)
• CVE-2014-0322 (T1569.002)
• CVE-2013-2551 (T1490)
• CVE-2012-1876 (T1486)
• CVE-2010-0806 (T1105)
• CVE-2013-7331 (T1569.002)
• CVE-2017-8570 (T1083)
• CVE-2015-0310 (T1486)
• CVE-2015-5897 (T1078)
• CVE-2015-4495 (T1486)
• CVE-2014-8361 (T1071.001)
• CVE-2012-6422 (T1486)
• CVE-2015-2545 (T1569.002)
• CVE-2015-7645 (T1486)
• CVE-2015-3113 (T1486)
• CVE-2015-2590 (T1083)
• CVE-2014-6271 (T1046)
• CVE-2013-2094 (T1529)
• CVE-2016-1010 (T1486)
• CVE-2016-0984 (T1486)
• CVE-2016-1001 (T1486)
• CVE-2016-0998 (T1486)
• CVE-2015-1641 (T1083)
• CVE-2015-0313 (T1486)
• CVE-2015-0359 (T1018)
• CVE-2015-5130 (T1486)
• CVE-2015-5134 (T1486)
• CVE-2015-5539 (T1486)
• CVE-2015-5557 (T1486)
• CVE-2015-5563 (T1486)
• CVE-2015-5559 (T1486)
• CVE-2015-5540 (T1486)
• CVE-2015-5561 (T1486)
• CVE-2015-5551 (T1486)
• CVE-2015-5564 (T1486)
• CVE-2015-5565 (T1486)
• CVE-2015-5550 (T1486)
• CVE-2015-5566 (T1486)
• CVE-2015-5127 (T1486)
• CVE-2015-5556 (T1486)
• CVE-2016-1898 (T1585.002)
• CVE-2016-1897 (T1585.002)
• CVE-2015-7261 (T1562.004)
• CVE-2015-8286 (T1562.004)
• CVE-2015-8287 (T1016)
• CVE-2017-0261 (T1018)
• CVE-2017-0262 (T1018)
• CVE-2025-55182 (T1486)
• CVE-2015-0311 (T1486)
• CVE-2015-0932 (T1650)
• CVE-2012-0056 (T1486)
• CVE-2010-3081 (T1046)
• CVE-2010-3333 (T1046)
• CVE-2015-0336 (T1486)
• CVE-2014-3153 (T1078)
• CVE-2014-0497 (T1486)
• CVE-2017-16929 (T1486)
• CVE-2013-0074 (T1486)
• CVE-2014-0569 (T1486)
• CVE-2014-0515 (T1486)
• CVE-2014-0556 (T1486)
• CVE-2015-5560 (T1486)
• CVE-2014-9163 (T1046)
• CVE-2012-1723 (T1486)
• CVE-2011-3402 (T1486)
• CVE-2014-7247 (T1529)
• CVE-2015-4902 (T1083)
• CVE-2013-5990 (T1529)
• CVE-2023-1389 (T1018)
• CVE-2025-24893 (T1486)
• CVE-2025-34026 (T1486)
• CVE-2025-55183 (T1650)
• CVE-2015-1427 (T1486)
• CVE-2015-6034 (T1078)
• CVE-2015-2853 (T1486)
• CVE-2015-7755 (T1486)
• CVE-2016-6532 (T1003.001)
• CVE-2016-9496 (T1529)
• CVE-2016-9495 (T1486)
• CVE-2012-3213 (T1486)
• CVE-2011-3544 (T1564.003)
• CVE-2017-17215 (T1486)
• CVE-2012-4681 (T1486)
• CVE-2015-1761 (T1078)
• CVE-2013-2678 (T1486)
• CVE-2014-3393 (T1486)
• CVE-2014-3897 (T1486)
• CVE-2025-31125 (T1486)
• CVE-2025-66478 (T1083)
• CVE-2026-20127 (T1529)
• CVE-2015-0016 (T1486)
• CVE-2015-6585 (T1585.002)
• CVE-2009-3129 (T1046)
• CVE-2014-0329 (T1486)
• CVE-2015-3785 (T1486)
• CVE-2016-1990 (T1078)
• CVE-2016-1991 (T1083)
• CVE-2015-2852 (T1486)
• CVE-2015-2854 (T1486)
• CVE-2015-6022 (T1083)
• CVE-2012-1258 (T1046)
• CVE-2013-2465 (T1486)
• CVE-2015-0071 (T1583.006)
• CVE-2013-3660 (T1078)
• CVE-2014-6324 (T1486)
• CVE-2015-2426 (T1486)
• CVE-2014-2273 (T1562.001)
• CVE-2015-2387 (T1486)
• CVE-2010-2572 (T1486)
• CVE-2011-1255 (T1490)
• CVE-2016-4117 (T1486)
• CVE-2025-68645 (T1046)
• CVE-2026-0723 (T1486)
• CVE-2016-1562 (T1562.001)
• CVE-2017-3212 (T1562.001)
• CVE-2014-7911 (T1529)
• CVE-2017-7255 (T1018)
• CVE-2015-7808 (T1078)
• CVE-2015-7262 (T1529)
• CVE-2010-1553 (T1046)
• CVE-2015-5749 (T1486)
• CVE-2016-2343 (T1486)
• CVE-2012-5054 (T1486)
• CVE-2013-0641 (T1059.003)

Actor – Pulse グラフ

---

← 脅威アクター一覧に戻る