DE-flag
Back Back to English site
Get started
Aviatrix Blog

Slaying Medusa Ransomware: How Cloud Security Can Stop This Rising Threat

Medusa Ransomware-as-a-Service exploits security gaps like unrestricted egress traffic. Learn how to protect your network through robust security practices.

Chris McHenry, SVP of Product Management srcset=
March 19, 2025 in cloud security, zero trust, threat intelligence By Chris McHenry, SVP of Product Management

The Medusa ransomware group is a growing cybersecurity threat, impacting over 300 organizations across healthcare, education, financial services, technology, and manufacturing. Operating as a Ransomware-as-a-Service (RaaS) operation, Medusa gains access through phishing, unpatched vulnerabilities, and cloud misconfigurations. Once inside, attackers use double extortion tactics, encrypting data while threatening to leak it unless a ransom is paid.

A high-profile example was the Minneapolis Public Schools (MPS) breach in 2023, affecting more than 100,000 individuals. Attackers demanded a $4.5 million ransom, which MPS refused to pay. In retaliation, Medusa leaked 92GB of sensitive data, including student records, disciplinary reports, and employee files. Other victims, including large enterprises, financial institutions, and technology providers, illustrate how ransomware is evolving—targeting cloud-first organizations that depend on multicloud environments for mission-critical operations.

As cloud adoption accelerates, attackers are shifting their focus to exploiting cloud misconfigurations, weak IAM (identity and access management) policies, and unprotected network traffic, putting high-value corporate data and infrastructure at risk. To counter this, organizations must implement cloud-native security strategies, including network segmentation, the adoption of Zero Trust principles, egress controls, and real-time monitoring to prevent the spread of ransomware.

 

March 2025 Guidance from CISA

To address the rising Medusa ransomware threat, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued advisory AA25-071A on March 12, 2025, outlining Medusa’s tactics and recommended security measures.

 

Key CISA Recommendations for Stopping Medusa Ransomware

  • Patch Known Vulnerabilities
    • Apply security updates to operating systems, cloud workloads, and applications.
    • Address CVE-2024-1709 and CVE-2023-48788, vulnerabilities actively exploited by Medusa.
  • Strengthen Access Controls
    • Enforce multi-factor authentication (MFA) for all remote and cloud access points.
    • Ensure IAM roles adhere to the principle of least privilege (PoLP).
  • Enhance Network Security
    • Segment networks to prevent ransomware from spreading.
    • Deploy FQDN-based egress filtering to block unauthorized connections to Command-and-Control Servers (C2).
  • Increase Cloud Visibility and Monitoring
    • Use network flow logs to detect anomalies and suspicious traffic.
    • Implement continuous monitoring across multicloud environments.
  • Maintain Secure Backups
    • Store multiple copies of critical data in immutable and offline backups.
    • Ensure backups are protected from unauthorized access and cannot be altered by ransomware.

 

How Ransomware Attacks Are Moving from On-Premises to Cloud

Historically, ransomware targeted on-premises environments due to flat networks, weak segmentation, and legacy vulnerabilities. Attackers exploited RDP misconfigurations, used phishing-based credential theft, and exposed file shares (SMB, NFS) to encrypt data. Limited visibility and slow response times made containment difficult.

As organizations migrate to the cloud, ransomware tactics have evolved, exploiting cloud security gaps such as:

  • Multi-cloud misconfigurations creating security blind spots.
  • Poor network segmentation, allowing ransomware to move across workloads and cloud regions.
  • Weak IAM policies, enabling attackers to escalate privileges and gain access to storage, backups, and critical resources.
  • Unrestricted egress traffic, allowing ransomware to exfiltrate sensitive data before encrypting it, increasing ransom leverage.

 

How Medusa Ransomware Exploits Cloud Weaknesses

Unpatched Cloud-Based Applications and Services

Attackers scan for unpatched workloads in remote access tools, VPNs, and cloud-native services.

Exploited vulnerabilities include:

  • ScreenConnect Authentication Bypass (CVE-2024-1709) – Grants attackers remote admin access.
  • Fortinet EMS SQL Injection (CVE-2023-48788) – Allows attackers to execute unauthorized commands on Fortinet EMS servers, potentially compromising managed endpoints (NVD).
  • Attackers have used CVE-2023-48788 to install unauthorized remote management tools and PowerShell backdoors, maintaining persistent access.

 

Abuse of Legitimate Remote Access Tools

Medusa affiliates use legitimate remote access software such as AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop. These tools help attackers move laterally, evade detection, and maintain persistence (CISA).

 

How Aviatrix Secures Cloud Environments Against Ransomware

Aviatrix provides ransomware protection by integrating advanced network segmentation, egress security, threat visibility, and deep traffic inspection to prevent attacks from spreading in multicloud environments.

  • Stopping Lateral Movement with Cloud-Native Segmentation – Aviatrix enforces micro-segmentation, ensuring ransomware cannot move laterally between cloud workloads. By tightly controlling east-west traffic, Aviatrix prevents infected instances from compromising additional resources.
  • Blocking Ransomware Communication and Data Exfiltration – Aviatrix FQDN-based egress filtering stops ransomware from connecting to command-and-control (C2) servers, preventing attackers from exfiltrating sensitive data or issuing encryption commands.
  • Application-Aware Filtering – Aviatrix enforces SmartGroup-based filtering, which allows users to classify and group cloud resources based on different attributes for simplified management and policy enforcement. This allows monitoring and controlling traffic based on workload attributes to prevent malware from leveraging cloud services for lateral movement.
  • Egress FQDN Filtering – Aviatrix controls outbound traffic, ensuring applications only communicate with trusted internet-based services, reducing unauthorized access risks.
  • Public Subnet Filtering Gateways (PSF Gateways) – Aviatrix enforces ingress and egress security for AWS public subnets, ensuring only authorized applications can communicate within and outside the network.

 

In Kubernetes environments, Aviatrix extends its application-aware filtering capabilities with:

  • Identity-Based Segmentation Aviatrix’s Kubernetes Firewall dynamically enforces security policies based on Kubernetes-native identities, such as namespaces and pods, rather than relying solely on IP addresses. This approach ensures that security policies are consistently applied even as Kubernetes environments scale and evolve.

 

Early Ransomware Detection with Threat Intelligence

Aviatrix’s Anomaly Detection feature enhances security by detecting new ports and protocols that haven’t been used before, which is critical for identifying ransomware activities early. Since Medusa ransomware often introduces unexpected communication channels to evade detection, identifying these anomalies in real time allows security teams to take swift action before ransomware spreads.

Aviatrix ThreatIQ with ThreatGuard provides real-time threat intelligence, identifying suspicious traffic patterns before ransomware can spread. ThreatGuard automates response actions, isolating infected instances and stopping attacks before they escalate.

 

Enhanced Security with Aviatrix Cloud Firewall and NGFW Integration

Aviatrix Cloud Firewall strengthens ransomware defenses with advanced threat detection and native security enforcement while seamlessly integrating with next-generation firewalls (NGFWs) to enhance multicloud security. By steering traffic to NGFWs, Aviatrix enables deep packet inspection (DPI) to detect ransomware payloads, malware, and unauthorized access attempts before they can compromise cloud environments.

Aviatrix’s NGFW integration ensures scalable, automated security enforcement, directing cloud traffic through NGFWs for real-time threat detection, prevention, and granular control over workloads. This eliminates security blind spots and ensures consistent policy enforcement across multicloud infrastructures without impacting performance.

Aviatrix Cloud Firewall with NGFW integration allows enterprises to reduce ransomware risks, enforce Zero Trust principles, and enhance multicloud visibility—all while maintaining high performance and operational agility.

 

Key Security Enhancements of Aviatrix Cloud Firewall with NGFW Integration

  • Deep Packet Inspection (DPI) – Enables NGFWs to inspect traffic in real-time, identifying ransomware payloads, malware, and unauthorized access attempts.
  • Automated Traffic Steering – Ensures firewall insertion across AWS, Azure, Google Cloud, and Oracle Cloud, enabling comprehensive east-west and north-south traffic inspection

 

Stop Ransomware Before It Strikes: Strengthen Your Cloud Security Today

The Medusa ransomware campaign highlights the urgent need for modern cloud security solutions.

With Aviatrix Cloud Network Security, you can:

  • Stop lateral movement with micro-segmentation
  • Block ransomware C2 connections with egress filtering
  • Detect threats early with ThreatIQ’s real-time analytics
  • Enforce Zero Trust policies to minimize attack surfaces
  • Leverage Aviatrix Cloud Firewall integrated with NGFWs for deep traffic inspection

 

Schedule a demo to learn how Aviatrix can help protect your cloud environments from ransomware attacks.