Madusa Ransomware 2025: RMM Exploitation in Ransomware Campaigns

MITRE Techniques

• [T1071 ] Application Layer Protocol – Used for command-and-control and exfiltration over HTTP/HTTPS to attacker servers (‘establishing connections to 31.220.45[.]120 and 213.183.63[.]41, both of which hosted malicious SimpleHelp RMM servers.’)
• [T1119 ] Automated Collection – Automated collection of data from compromised file servers prior to exfiltration (‘downloading documents from another internal server over SMB and uploading approximately 70 GiB of data to erp.ranasons[.]com’).
• [T1020 ] Automated Exfiltration – Use of automated tools and services (Rclone, Robocopy, Ngrok) to exfiltrate data to external endpoints (‘data was exfiltrated to the endpoints erp.ranasons[.]com or pruebas.pintacuario[.]mx … using an SSH-2.0-rclone client’).
• [T1110 ] Brute Force – Initial access via credential stuffing/brute-force and purchase of compromised accounts from IABs (‘IABs that employ phishing, credential stuffing, or brute-force attacks’).
• [T1592.004 ] Client Configurations – Abuse and modification of SimpleHelp server configuration to redirect RMM agents (‘edit server configuration files to redirect existing SimpleHelp RMM agents to communicate with unauthorized servers under their control.’)
• [T1078.004 ] Cloud Accounts – Use of valid or cloud-managed credentials for persistence or access to services (‘Valid Accounts … INITIAL ACCESS’ and references to purchased or reused credentials via IABs).
• [T0807 ] Command-Line Interface – Execution of command-line utilities and scripts during lateral movement and staging (‘robocopy . “c:windows” /COPY:DT /E … suggested that this utility was likely used to stage files in preparation for data exfiltration’).
• [T1110.004 ] Credential Stuffing – Use of credential stuffing as an initial access method via IABs (‘IABs that employ phishing, credential stuffing, or brute-force attacks’).
• [T1486 ] Data Encrypted for Impact – Ransomware encryption observed with .MEDUSA extension and ransom notes (‘!!!READ_ME_MEDUSA!!!.txt’ ransom notes and ‘.MEDUSA’ extension added to encrypted files).
• [T1039 ] Data from Network Shared Drive – Collection of files from network shares and file servers prior to exfiltration (‘downloading documents from another internal server over SMB and uploading approximately 70 GiB of data’).
• [T1001 ] Data Obfuscation – Use of tunnels/proxies or alternate protocols (Ngrok, SSH) to obscure exfiltration activity (‘data was exfiltrated … using an SSH-2.0-rclone client’ and use of Ngrok-associated endpoints).
• [T1074 ] Data Staged – Staging of data on intermediate hosts (use of Robocopy to prepare data) (‘CrowdStrike integration alerts for the execution of robocopy … suggested that this utility was likely used to stage files’).
• [T1030 ] Data Transfer Size Limits – Use of large-volume transfers and chunking/slow exfiltration tactics (observed ~70 GiB upload and “Low and Slow Exfiltration” detections) (‘uploading approximately 70 GiB of data to erp.ranasons[.]com’).
• [T1078.001 ] Default Accounts – Use and abuse of default or known accounts for access and persistence (references to default credentials and valid accounts used by attackers in initial access).
• [T0812 ] Default Credentials – Abuse of default credentials on remote management tools or devices to move laterally or gain access (implied in RMM tool compromises and exposed management servers).
• [T1021.003 ] Distributed Component Object Model – Lateral movement techniques (SMB/RPC) used to write executables and move laterally (‘writing Temp[…] .exe over SMB to another device on the same subnet’).
• [T0817 ] Drive-by Compromise – Compromise of public-facing services and download of payloads from file-sharing services (Filemail abuse to deliver payloads) (‘downloading 35 MiB from [0-9]{4}.filemail[.]com’).
• [T1189 ] Drive-by Compromise – Exploitation of public-facing web services and hosting infrastructure to deliver tools and payloads (use of malicious SimpleHelp servers and hosted payloads on attacker-controlled domains).
• [T1114 ] Email Collection – Potential harvesting of emails/credentials via initial access/credential harvesting tactics (article references phishing and IAB activity as common initial access vectors).
• [T1048 ] Exfiltration Over Alternative Protocol – Use of non-standard or alternative protocols and services for exfiltration (Ngrok proxy and SSH tunnels observed during exfiltration events).
• [T1041 ] Exfiltration Over C2 Channel – Exfiltration using C2 channels and RMM tools to transfer data (‘SimpleHelp tool is not only used for command-and-control … data exfiltration’).
• [T1567.002 ] Exfiltration to Cloud Storage – Use of cloud or third-party file-sharing and hosting services (Filemail and other external hosting abused to stage and transfer data/payloads).
• [T1190 ] Exploit Public-Facing Application – Exploitation of GoAnywhere (CVE-2025-10035) and other public-facing application flaws for initial access (‘exploiting a vulnerability in Fortra’s GoAnywhere MFT License Servlet (CVE-2025-10035)’).
• [T0890 ] Exploitation for Privilege Escalation – Use of exploits and malicious drivers to disable security and escalate privileges (‘Bring Your Own Vulnerable Driver (BYOVD) technique to terminate antivirus processes … leveraging tools such as KillAV or AbyssWorker’).
• [T1210 ] Exploitation of Remote Services – Exploitation of remote support/RMM services (SimpleHelp, ConnectWise ScreenConnect) for lateral movement and access (‘abuse of flaws in SimpleHelp’s remote support software’ and references to ScreenConnect CVE-2024-1709).
• [T1588.005 ] Exploits – Development or acquisition of exploit code to target identified vulnerabilities in resource development (‘Vulnerabilities exploited in Medusa attacks include …’).
• [T1083 ] File and Directory Discovery – Discovery of file servers and directories during reconnaissance and staging (‘file server … was observed downloading documents from another internal server over SMB’).
• [T1070.004 ] File Deletion – Attempts to remove traces or tamper with logs/artifacts as part of defense evasion (general defensive evasion behavior and use of BYOVD/malicious drivers to disable security).
• [T0823 ] Graphical User Interface – Abuse of legitimate admin GUIs (RMM GUIs) for remote control and operations (‘SimpleHelp management servers … redirect existing SimpleHelp RMM agents to communicate with unauthorized servers under their control’).
• [T1105 ] Ingress Tool Transfer – Downloading additional tooling to compromised hosts (use of Filemail and external locations to retrieve payloads) (‘downloading additional tooling from the Filemail file-sharing service’).
• [T1570 ] Lateral Tool Transfer – Moving administration tools and payloads between hosts (writing executables over SMB and deploying RMM agents across devices) (‘writing Temp[…] .exe over SMB to another device on the same subnet’).
• [T1557.001 ] LLMNR/NBT-NS Poisoning and SMB Relay – Credential capture/relay techniques implied in local network credential theft and lateral movement (references to SMB/NTLM behaviors and NTLM alerts).
• [T1588.001 ] Malware – Deployment of ransomware binaries (gaze.exe) and associated payloads to impacted hosts (‘integration alerts related to the ransomware binary, such as c:windowssystem32gaze.exe … and “!!!READ_ME_MEDUSA!!!.txt” ransom notes’).
• [T1046 ] Network Service Scanning – Network scanning activity observed from out-of-scope devices scanning the network before lateral movement (‘a device out of the scope of Darktrace’s visibility began scanning the network’).
• [T1135 ] Network Share Discovery – Discovery and access of network shares to collect files (‘downloading documents from another internal server over SMB’ and staging files on file servers).
• [T1095 ] Non-Application Layer Protocol – Use of non-HTTP protocols and ports for communications and exfiltration (exfiltration observed over ports 443, 445, and 80 and other non-standard uses).
• [T1571 ] Non-Standard Port – Use of uncommon ports for C2 or exfiltration (observed connections to port 7070 on 193.37.69[.]154 and other non-standard ports on SimpleHelp servers).
• [T1102.003 ] One-Way Communication – Use of one-way upload channels or constrained communications for exfiltration to attacker endpoints (uploads to erp.ranasons[.]com over HTTPS observed continuing for days).
• [T1550.002 ] Pass the Hash – Use of NTLM/SMB credential abuse and lateral movement techniques indicated by NTLM/SMB alerts and suspicious domain authentication activity (‘CrowdStrike alerts and NTLM/SMB activity during lateral movement and reconnaissance’).
• [T1110.002 ] Password Cracking – Attempts to crack passwords or use brute-force/password-guessing techniques as part of credential access operations (IAB-sourced compromised accounts and brute-force references).
• [T1110.001 ] Password Guessing – Use of password guessing and spraying attempts in initial access campaigns (references to credential stuffing, password guessing and IAB activity).
• [T1110.003 ] Password Spraying – Observed or reported credential spraying attempts used by IABs or operators to gain access to accounts (‘IABs that employ phishing, credential stuffing, or brute-force attacks’).
• [T0843 ] Program Download – Download of additional programs and tools to compromised hosts (Filemail and remote downloads observed during intrusions ‘downloading additional tooling from the Filemail file-sharing service’).
• [T0845 ] Program Upload – Upload of staged data and tools to attacker-controlled services during exfiltration and staging activities (‘uploading approximately 70 GiB of data to erp.ranasons[.]com (143.110.243[.]154:443)’).
• [T1219 ] Remote Access Software – Abuse of legitimate remote access/RMM software (SimpleHelp, Atera, AnyDesk, ScreenConnect, etc.) for C2, persistence, lateral movement, and exfiltration (‘Medusa actors appear to favor RMM tools such as SimpleHelp’).
• [T1021.001 ] Remote Desktop Protocol – Use of RDP for lateral movement and remote control observed in incident reconstructions (‘began scanning the network and using RDP, NTLM/SMB, DCE_RPC, and PowerShell for lateral movement’).
• [T1018 ] Remote System Discovery – Discovery of remote hosts and services via scanning and reconnaissance (‘a device … began scanning the network’ and multiple model alerts for network scan activity).
• [T1595.001 ] Scanning IP Blocks – Broad scanning of IP ranges and external resources as part of reconnaissance and victim discovery (models detected scanning IP blocks and suspicious scanning activity).
• [T1029 ] Scheduled Transfer – Use of scheduled or repeated transfer mechanisms to exfiltrate or maintain C2 communication persistently over days (‘These C2 connections continued for more than 20 days after the initial compromise.’)
• [T0865 ] Spearphishing Attachment – Phishing and social engineering cited as an IAB method for initial access in some Medusa compromises (‘IABs that employ phishing … attacks’).
• [T0869 ] Standard Application Layer Protocol – Use of standard application protocols (HTTP/HTTPS) for C2 and data transfer (‘data was exfiltrated … over ports 443, 445, and 80’).
• [T0862 ] Supply Chain Compromise – Possible supply-chain or third-party compromise vectors through abuse of vendor products and services (exploitation of widely used RMM and MFT products such as SimpleHelp and GoAnywhere).
• [T0863 ] User Execution – Execution of user-run or admin-run tools and payloads to deploy malware and lateral tools (abuse of legitimate administration tools to install or run malicious binaries on endpoints).
• [T1078 ] Valid Accounts – Reuse or purchase of valid accounts from IABs and use of legitimate credentials for persistence and access (‘Medusa actors typically purchase access to already compromised devices or accounts via IABs’).
• [T0859 ] Valid Accounts (ICS) – Use of valid accounts for persistence in managed environments and RMM tools (references to valid account use for persistence and lateral movement across management systems).
• [T1588.006 ] Vulnerabilities – Targeting and exploitation of known product vulnerabilities in resource development and operations (exploits of CVE-2025-10035, SimpleHelp CVEs, CVE-2024-1709, and others).
• [T1595.002 ] Vulnerability Scanning – Scanning for vulnerable public-facing systems and unpatched RMM servers as part of reconnaissance (recommendation to patch exposed RMM servers due to observed exploitation patterns).
• [T1071.001 ] Web Protocols – Use of HTTP/HTTPS web protocols for C2, payload delivery, and exfiltration (‘many of the destination IP addresses involved in this activity were linked to SimpleHelp servers’ and exfiltration over HTTPS observed).