Detecting Medusa ransomware with Wazuh

| by Obinna Uchubilo | Wazuh 4.11.2
Post icon

Medusa is a ransomware-as-a-service (RaaS) variant, first observed in June 2021. Its operators and affiliates have impacted over 300 organizations across multiple sectors, including healthcare, education, legal, insurance, technology, and manufacturing. The ransomware is primarily delivered through phishing campaigns and the exploitation of unpatched software vulnerabilities. As of February 2025, a resurgence in Medusa ransomware activity has been observed, with an increasing number of attacks.

Medusa ransomware targets the Windows operating system and, like most ransomware, is devastating, causing operational disruptions, financial losses, and reputational damage for affected organizations. In this blog post, we demonstrate how to detect Medusa ransomware using Wazuh.

Medusa ransomware behaviour

The ransomware is delivered through phishing campaigns or by exploiting unpatched software vulnerabilities to gain unauthorized access to targeted endpoints. It performs the following activities when executed:

  • The Medusa ransomware terminates system and user processes and services included in its pre-process routine before encrypting the files on the affected endpoint. It terminates the services and processes discovered on the affected endpoint with the commands below:
net stop "{Service name}" /y
taskkill /F /im {Process name} /T
  • The ransomware encrypts files on the affected endpoint and appends the extension .MEDUSA to the file name of the encrypted files. It excludes files contained in C:\Windows and C:\PerfLogs folders.
  • The ransomware prevents recovery by deleting the Volume Shadow Copy using the command below:
vssadmin Delete Shadows /all /quiet
  • It creates a ransom note !!!READ_ME_MEDUSA!!!.txt in every folder it scans.

Analyzed sample

TypeValue
SHA2563a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da
SHA16586b2155afa5d7cda5cd3f8a7af37c4fe126a1d
MD5a6980e543efa40771ed1dcf84b29d732

Infrastructure

We use the following infrastructure to demonstrate the detection of Medusa ransomware with Wazuh:

  • A pre-built, ready-to-use Wazuh OVA 4.11.2, which includes the Wazuh central components (Wazuh server, Wazuh indexer, and Wazuh dashboard). Follow this guide to download and set up the Wazuh virtual machine.
  • A Windows 11 victim endpoint with the Wazuh agent 4.11.2 installed and enrolled to the Wazuh server.

Detection with Wazuh

Detection rules

We monitor system events on the Windows endpoint using Sysmon and create custom rules on the Wazuh server to detect the malicious behavior of Medusa ransomware.

Windows endpoint

Follow the steps below to configure Sysmon on the monitored endpoint and forward logs in the Sysmon event channel to the Wazuh server for analysis.

  1. Download the latest version of Sysmon from the Microsoft Sysinternals page.
  2. Extract the compressed Sysmon file to your preferred location. 
  3. Download the Sysmon configuration file using PowerShell as an administrator. Replace <SYSMON_EXECUTABLE_PATH> with the path to your Sysmon executable.
> wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml
  1. Switch to the folder containing the Sysmon executable. Run the command below to install and start Sysmon:
> .\Sysmon64.exe -accepteula -i sysmonconfig.xml
  1. Add the following configuration within the <ossec_config> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file to forward Sysmon events to the Wazuh server:
<localfile>
  <location>Microsoft-Windows-Sysmon/Operational</location>
  <log_format>eventchannel</log_format>
</localfile>

6. Restart the Wazuh agent to apply the changes:

> Restart-Service -Name wazuh

Wazuh server

In this section, we create rules to detect the activities of the Medusa ransomware on the monitored Windows endpoint.

  1. Create a file medusa_ransomware_rules.xml in the /var/ossec/etc/rules/ directory:
# touch /var/ossec/etc/rules/medusa_ransomware_rules.xml
  1. Add the following detection rules to the /var/ossec/etc/rules/medusa_ransomware_rules.xml file:
<group name="medusa,ransomware,">
<!--Detects system process termination -->
  <rule id="100012" level="2">
    <if_sid>61603</if_sid>
    <field name="win.eventdata.commandLine" type="pcre2">(?i)taskkill \/F \/IM .*. \/T</field>
    <field name="win.eventdata.parentImage" type="pcre2">(?i)[C-Z]:.*\\\\.*.exe</field>
    <description>System process terminated using $(win.eventdata.originalFileName). Suspicious activity detected.</description>
    <mitre>
      <id>T1490</id>
      <id>T1059.003</id>
    </mitre>
  </rule>

<!--Detects multiple system process termination -->
  <rule id="100013" level="12" frequency="10" timeframe="300">
    <if_matched_sid>100012</if_matched_sid>
    <description>Multiple system processes terminated using $(win.eventdata.originalFileName). Suspicious activity detected.</description>
    <mitre>
      <id>T1490</id>
      <id>T1059.003</id>
    </mitre>
  </rule>

<!--Detects system service termination -->
  <rule id="100014" level="2">
    <if_sid>92031</if_sid>
    <field name="win.eventdata.parentImage" type="pcre2">(?i)[C-Z]:.*\\\\.*.exe</field>
    <field name="win.eventdata.commandLine" type="pcre2">(?i)[C-Z]:.*\\\\.*.net.*. stop \\.*.\\" \/y</field>
    <description>System service terminated using $(win.eventdata.originalFileName). Suspicious activity detected.</description>
    <mitre>
      <id>T1490</id>
      <id>T1059.003</id>
    </mitre>
  </rule>

<!--Detects multiple system service termination -->
  <rule id="100015" level="12" frequency="60" timeframe="500" ignore="500">
    <if_matched_sid>100014</if_matched_sid>
    <description>Multiple system services terminated using $(win.eventdata.originalFileName). Suspicious activity detected.</description>
    <mitre>
      <id>T1490</id>
      <id>T1059.003</id>
    </mitre>
  </rule>

<!-- Ransom note file creation -->
  <rule id="100016" level="15" timeframe="200" frequency="2">
    <if_sid>61613</if_sid>
	<field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\\\\.*.exe</field>
    <field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*.\\\\!!!READ_ME_MEDUSA!!!.txt</field>
    <description>Medusa ransom note $(win.eventdata.targetFilename) has been created in multiple directories. Possible Medusa ransomware detected.</description>
    <mitre>
      <id>T1486</id>
    </mitre>
  </rule>

  <rule id="100017" level="15" timeframe="300" frequency="2" ignore="100">
    <if_matched_sid>100015</if_matched_sid>
    <if_sid>100013</if_sid>
    <description>Possible Medusa ransomware detected.</description>
    <mitre>
      <id>T1486</id>
    </mitre>
  </rule>
</group>

Where:

  • Rule ID 100012 is triggered when a system process is terminated using taskkill command. 
  • Rule ID 100013 is triggered when multiple system processes are terminated using taskkill command.
  • Rule ID 100014 is triggered when a system service is terminated using net stop command.
  • Rule ID 100015 is triggered when multiple system services are terminated using net stop command.
  • Rule ID 100016 is triggered when multiple !!!READ_ME_MEDUSA!!!.txt ransom notes are created.
  • Rule ID 100017 is triggered when rule IDs 100013 and 100015 are triggered within 300 seconds
  1. Restart the Wazuh manager to apply changes.
# systemctl restart wazuh-manager

Wazuh dashboard detection alerts

Follow the steps below to view the alerts generated on the Wazuh dashboard when the Medusa ransomware is executed on the Windows endpoint.

1. Navigate to Threat intelligence > Threat Hunting.

2. Click + Add filter. Then filter by rule.id.

3. In the Operator field, select is one of.

4. Search and select 100013, 100015, 100016, and 100017 in the Values field.

5. Click Save.

Removing malicious files with Wazuh integration

Ransomware renders infected endpoints unusable, making recovery difficult. Detecting and removing it before execution is a proactive approach that ensures the malicious file is removed before it can run on a monitored endpoint. We recommend enabling pre-execution protection using the Wazuh File Integrity Module (FIM) with VirusTotal or YARA integration. This approach matches the hash of downloaded files against threat intelligence databases and triggers a Wazuh Active Response script to remove malicious files before execution.

In this section, we illustrate how to detect and remove malicious files by leveraging Wazuh integration with YARA.

We configure the Wazuh FIM module to track file modification or addition in a specific directory. When a change is detected in the monitored directory, the Wazuh Active Response module initiates a YARA scan, which detects potentially malicious files based on predefined rules.

Windows endpoint

Perform the steps below to set up the monitored endpoint for this integration.

  1. Install the following prerequisites:

Note

Run PowerShell as an administrator

  1. Download YARA:
> Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.2/yara-v4.5.2-2326-win64.zip -OutFile v4.5.2-2326-win64.zip
  1. Extract the downloaded YARA file:
> Expand-Archive v4.5.2-2326-win64.zip
  1. Create a yara folder in the C:\Program Files (x86)\ossec-agent\active-response\bin\ folder and copy the YARA binary into it:
> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
> cp .\v4.5.2-2326-win64\yara64.exe 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\'
  1. To download the YARA rules, use the pip utility to install valhallaAPI. This API retrieves the public signature-based YARA ruleset:
> pip install valhallaAPI
  1. Create a file download_yara_rules.py, and paste the below script into it:
from valhallaAPI.valhalla import ValhallaAPI
v = ValhallaAPI(api_key="1111111111111111111111111111111111111111111111111111111111111111")
response = v.get_rules_text()
with open('yara_rules.yar', 'w') as fh:
    fh.write(response)
  1. Run the download_yara_rules.py script file to download YARA rules: 
> python download_yara_rules.py
  1. Create a folder rules in the C:\Program Files (x86)\ossec-agent\active-response\bin\yara folder and copy the rules into it:
> mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
> cp yara_rules.yar 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
  1. Edit the downloaded YARA rule file C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar and add the following Medusa ransomware rule:
rule Medusa_ransomware {
   meta:
      description = "Medusa Ransomware"
      author = "Obinna Uchubilo"
      reference = "https://github.com/Neo23x0/yarGen"
      date = "2025-04-16"
      hash1 = "3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da"
   strings:
      $s1 = "api-ms-win-core-synch-l1-2-0.dll" fullword wide /* reversed goodware string 'lld.0-2-1l-hcnys-eroc-niw-sm-ipa' */
      $s2 = "powershell -executionpolicy bypass -File %s" fullword ascii
      $s3 = "powershell -Command \"& {%s}\"" fullword ascii
      $s4 = "cmd /c ping localhost -n 3 > nul & del %s" fullword ascii
      $s5 = "AppPolicyGetProcessTerminationMethod" fullword ascii
      $s6 = "preprocess" fullword ascii
      $s7 = "G:\\Medusa\\Release\\gaze.pdb" fullword ascii
      $s8 = "kill_processes %s" fullword ascii
      $s9 = "        <requestedExecutionLevel level='asInvoker' uiAccess='false' />" fullword ascii
      $s10 = "load_encryption_key:File open error" fullword ascii
      $s11 = "kill_services processes" fullword ascii
      $s12 = ":do not use preprocess" fullword ascii
      $s13 = "encrypt system" fullword ascii
      $s14 = "VVVQVP" fullword ascii /* reversed goodware string 'PVQVVV' */
      $s15 = ": option requires an argument -- " fullword ascii
      $s16 = "File is already encrypted." fullword ascii
      $s17 = ": illegal option -- " fullword ascii
      $s18 = "AppPolicyGetThreadInitializationType" fullword ascii
      $s19 = "encrypt %d %ls %ld" fullword wide
      $s20 = "KVK.xKKOCmOZOBAI}XM.clk@J^AG@ZoIK@Z.c}}" fullword ascii
   condition:
      uint16(0) == 0x5a4d and filesize < 2000KB and
      8 of them
}
  1. Monitor the Downloads folder of all users in real-time by adding the below configuration  within the <syscheck> block of the C:\Program Files (x86)\ossec-agent\ossec.conf file:
<directories realtime="yes">C:\Users\*\Downloads</directories>

Note

In this blog post, we only monitored the Downloads folder of all users. However, you can configure other folders you wish to monitor.

  1. Create a batch file yara.bat in the C:\Program Files (x86)\ossec-agent\active-response\bin\ folder and copy the below script into it. The Wazuh Active Response module runs this script to perform YARA scans for malware detection and removal:
:: This script deletes the Medusa ransomware executable as well as other malicious files matched by the YARA Rules
 
@echo off
setlocal enableDelayedExpansion
reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT
if %OS%==32BIT (
    SET log_file_path="%programfiles%\ossec-agent\active-response\active-responses.log"
)
if %OS%==64BIT (
    SET log_file_path="%programfiles(x86)%\ossec-agent\active-response\active-responses.log"
)
set input=
for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do (
    set input=%%a
)
set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"
set syscheck_file_path=
echo %input% > %json_file_path%
FOR /F "tokens=* USEBACKQ" %%F IN (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt'|ConvertFrom-Json).parameters.alert.syscheck.path"`) DO (
SET syscheck_file_path=%%F
)
set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe"
set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"
echo %syscheck_file_path% >> %log_file_path%
for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do (
    echo wazuh-yara: INFO - Scan result: %%a >> %log_file_path%
    :: Deleting the scanned file.
	del /f "%syscheck_file_path%" >nul 2>&1
if exist "%syscheck_file_path%" (
    echo wazuh-yara: INFO - Error removing threat: %%a >> %log_file_path%
) else (
    echo wazuh-yara: INFO - Successfully deleted: %%a >> %log_file_path%
)
 )
exit /b
  1. Restart the Wazuh agent to apply the changes:
> Restart-Service -Name wazuh

Wazuh server

We configure rules, custom decoders, and active response to capture alerts related to the addition and removal of the ransomware sample.

  1. Add the custom rules below to the /var/ossec/etc/rules/local_rules.xml file. These rules trigger alerts when files are added or modified in the Downloads folder on the monitored endpoint.
<group name= "syscheck,">
  <rule id="100211" level="7">
    <if_sid>550</if_sid>
    <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
    <description>File modified in the Downloads folder.</description>
  </rule>

  <rule id="100212" level="7">
    <if_sid>554</if_sid>
    <field name="file" type="pcre2">(?i)C:\\Users.+Downloads</field>
    <description>File added to the Downloads folder.</description>
  </rule>
</group>

Where:

  • 100211 is triggered when a file is modified in the Downloads folder.
  • 100212 is triggered when a file is added to the Downloads folder.
  1. Add the following configuration within the <ossec_config> block of the /var/ossec/etc/ossec.conf file:
<command>
  <name>yara</name>
  <executable>yara.bat</executable>
  <timeout_allowed>no</timeout_allowed>
</command>

<active-response>
  <command>yara</command>
  <location>local</location>
  <rules_id>100211,100212</rules_id>
</active-response>

The Wazuh Active Response module runs the yara.bat script when a file is added or modified in the Downloads folder.

Where:

  • <name> specifies that yara is the name of the command being called in the <active-response> block.
  • <executable> specifies that yara.bat is the executable file to run.
  • <command> specifies the command that the Active Response module will use.
  • The <active response> block calls the <command> block when the rule ID 100211 or 100212 is triggered.
  • <location> specifies where the Active Response script is executed.
  1. Add the following decoders to the /var/ossec/etc/decoders/local_decoder.xml file to decode the logs generated by the Active Response script:
<decoder name="yara_decoder">
    <prematch>wazuh-yara:</prematch>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Scan result: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Successfully deleted: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>

<decoder name="yara_decoder1">
    <parent>yara_decoder</parent>
    <regex>wazuh-yara: (\S+) - Error removing threat: (\S+) (\S+)</regex>
    <order>log_type, yara_rule, yara_scanned_file</order>
</decoder>
  1. Create custom rules in the /var/ossec/etc/rules/local_rules.xml to generate alerts when response actions are taken:
<!--  Rule for the decoder (yara_decoder) -->
<group name="yara,">
  <rule id="100213" level="0">
    <decoded_as>yara_decoder</decoded_as>
    <description>Yara grouping rule</description>
  </rule>

<!--  YARA scan detects a positive match -->
  <rule id="100214" level="12">
    <if_sid>100213</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Scan result: </match>
    <description>File "$(yara_scanned_file)" is a ransomware. Yara rule: $(yara_rule)</description>
  </rule>

<!--  Wazuh successfully deletes malware with a positive match -->
  <rule id="100215" level="12">
    <if_sid>100213</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Successfully deleted: </match>
    <description>Successfully removed "$(yara_scanned_file)" by active response due to YARA rule $(yara_rule) positive match</description>
  </rule>

<!--  Wazuh encounters an error when deleting malware with a positive match -->
  <rule id="100216" level="12">
    <if_sid>100213</if_sid>
    <match type="pcre2">wazuh-yara: INFO - Error removing threat: </match>
    <description>Error removing "$(yara_scanned_file)". YARA rule: $(yara_rule)</description>
  </rule>
</group>

Where:

  • 100213 is the base rule for detecting YARA related events.
  • 100214 is triggered when YARA scans and detects the Medusa executable.
  • 100215 is triggered when the executable has been successfully removed by the Wazuh Active Response module.
  • 100216 is triggered when the executable is not removed successfully by the Wazuh Active Response module.
  1. Restart the Wazuh manager for the changes to take effect:
# systemctl restart wazuh-manager

Visualizing the detection alerts

When the Medusa ransomware executable is added to the Downloads folder of the victim endpoint and removed by the Active Response module, alerts are generated on the Wazuh dashboard. 

To view these alerts:

  1. Navigate to Threat intelligence > Threat Hunting.
  2. Click + Add filter. Then filter by rule.id.
  3. In the Operator field, select is one of.
  4. Search and select rule IDs 100212, 100214, and 100215 in the Values field.
  5. Click Save.

Conclusion

This blog post shows how to detect Medusa ransomware on a Windows endpoint using Wazuh. We leverage the Wazuh data analysis engine to create rules to detect the malicious activities linked to the Medusa ransomware. Also, we demonstrate how to use the Wazuh FIM and Active Response capabilities with YARA integration to respond to threats. 

Wazuh is a free open source security platform providing a wide range of capabilities to monitor and safeguard your infrastructure against malicious activities. If you have any questions about this blog post or Wazuh, we invite you to join our Slack community, where our team is available to assist you.

Reference