Ransomware attacks are no longer rare or limited to large corporations. Today, they’re everywhere—more common, more aggressive, and increasingly harder to detect. One of the most talked-about names lately is Medusa, a ransomware-as-a-service (RaaS) variant that first emerged in June 2021 and has already affected over 300 organizations worldwide.
This malware has struck critical sectors such as healthcare, education, legal, insurance, technology, and even manufacturing. How does it do it? In most cases, it enters through the usual weak spots: phishing emails and unpatched software vulnerabilities. And the worst part? No matter how secure you think your organization is, Medusa finds a way in. Since February 2025, it's come back stronger, and the number of attacks is rising.
It specifically targets Windows systems, encrypts files, demands enormous ransoms, and leaves chaos in its wake—operations come to a halt, financial losses mount, and reputations suffer.
In this article, we’ll show you how to detect this threat early using Wazuh—an open-source security platform that helps you monitor your infrastructure, trigger alerts, and respond quickly to suspicious activity.
Table of Contents
Medusa doesn't arrive quietly. Once it gains access to a system—whether through a phishing email or by exploiting an unpatched vulnerability—it gets to work immediately.
The first thing it does is terminate processes and services that could interfere with its operation. It comes prepared with a list and executes commands like:
net stop "{Nombre del servicio}" /y
taskkill /F /im {Nombre del proceso} /T
These commands essentially tell the system: “Shut this down, get it out of my way.”
Next, it starts encrypting files on the compromised machine, appending its own file extension to make it clear who’s in control now. It’s “smart” about this too—it avoids encrypting certain system directories like C:\Windows, C:\PerfLogs, and others, so the machine doesn’t crash completely... at least not right away.
To make recovery nearly impossible, it deletes all shadow copies with the following command: vssadmin delete shadows /all /quiet. As a final touch, it drops a ransom note in every affected folder. The file is typically named: !!!READ_ME_MEDUSA!!!.txt.
In it, the attackers specify the ransom amount (usually in cryptocurrency) and outline what will happen if you don’t comply. Spoiler: it’s nothing good.
To test the detection of Medusa ransomware, Wazuh set up a practical and easily replicable lab environment. Here's what they used:
This setup allowed them to closely monitor what Medusa does once it gains access.
Read more: Ransomware Definition: How to Stay Protected
To detect Medusa in action, you need to know exactly what to look for. It's not enough to rely on a traditional antivirus or casually browse through logs—you need to pay close attention to the behavioral patterns that this ransomware leaves behind.
For this purpose, the Wazuh team set up a monitoring environment using a Windows machine and leveraged Sysmon, a powerful tool that provides deep visibility into system activity.
From the events generated by Sysmon, they created custom detection rules on the Wazuh server to identify suspicious behaviors, such as:
Sudden termination of processes
Unexpected shutdown of services
Unusual file modifications or renaming patterns
All of these are red flags that may indicate Medusa (or another ransomware) is actively compromising the system.
These custom rules form the backbone of Wazuh’s ability to detect ransomware attacks in real time, allowing security teams to respond quickly before damage spreads.
If you want to replicate Wazuh’s approach for detecting ransomware like Medusa, here’s a step-by-step guide to setting up Sysmon on a Windows machine and integrating it with the Wazuh agent:
Get Sysmon from the official Microsoft Sysinternals page.
Extract the ZIP file to your preferred folder.
Open PowerShell as Administrator and run the following command (replace the path with your actual Sysmon directory): wget -Uri https://wazuh.com/resources/blog/emulation-of-attack-techniques-and-detection-with-wazuh/sysmonconfig.xml -OutFile <SYSMON_EXECUTABLE_PATH>\sysmonconfig.xml
Navigate to the folder where you have Sysmon64.exe, then execute: .\Sysmon64.exe -accepteula -i sysmonconfig.xml
Edit the following file: C:\Program Files (x86)\ossec-agent\ossec.conf
Inside the <ossec_config> block, add:
<localfile>
<location>Microsoft-Windows-Sysmon/Operational</location>
<log_format>eventchannel</log_format>
</localfile>
To apply the changes, restart the agent with this PowerShell command: Restart-Service -Name wazuh
With this setup, Sysmon and Wazuh will now work together to monitor your Windows environment for suspicious behavior—giving you a powerful toolset to detect ransomware threats like Medusa before they cause serious damage.
To effectively detect Medusa, it’s also essential to prepare the Wazuh server with custom detection rules that identify the typical behaviors of this ransomware on Windows systems.
Step 1: Create the Rule File: On your Wazuh server, create a new XML rule file at the following location: /var/ossec/etc/rules/medusa_ransomware_rules.xml
Step 2: Add Custom Detection Rules:
<group name="medusa,ransomware,">
<!--Detects system process termination -->
<rule id="100012" level="2">
<if_sid>61603</if_sid>
<field name="win.eventdata.commandLine" type="pcre2">(?i)taskkill \/F \/IM .*. \/T</field>
<field name="win.eventdata.parentImage" type="pcre2">(?i)[C-Z]:.*\\\\.*.exe</field>
<description>System process terminated using $(win.eventdata.originalFileName). Suspicious activity detected.</description>
<mitre>
<id>T1490</id>
<id>T1059.003</id>
</mitre>
</rule>
<!--Detects multiple system process termination -->
<rule id="100013" level="12" frequency="10" timeframe="300">
<if_matched_sid>100012</if_matched_sid>
<description>Multiple system processes terminated using $(win.eventdata.originalFileName). Suspicious activity detected.</description>
<mitre>
<id>T1490</id>
<id>T1059.003</id>
</mitre>
</rule>
<!--Detects system service termination -->
<rule id="100014" level="2">
<if_sid>92031</if_sid>
<field name="win.eventdata.parentImage" type="pcre2">(?i)[C-Z]:.*\\\\.*.exe</field>
<field name="win.eventdata.commandLine" type="pcre2">(?i)[C-Z]:.*\\\\.*.net.*. stop \\.*.\\" \/y</field>
<description>System service terminated using $(win.eventdata.originalFileName). Suspicious activity detected.</description>
<mitre>
<id>T1490</id>
<id>T1059.003</id>
</mitre>
</rule>
<!--Detects multiple system service termination -->
<rule id="100015" level="12" frequency="60" timeframe="500" ignore="500">
<if_matched_sid>100014</if_matched_sid>
<description>Multiple system services terminated using $(win.eventdata.originalFileName). Suspicious activity detected.</description>
<mitre>
<id>T1490</id>
<id>T1059.003</id>
</mitre>
</rule>
<!-- Ransom note file creation -->
<rule id="100016" level="15" timeframe="200" frequency="2">
<if_sid>61613</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)[C-Z]:.*\\\\.*.exe</field>
<field name="win.eventdata.targetFilename" type="pcre2">(?i)[C-Z]:.*.\\\\!!!READ_ME_MEDUSA!!!.txt</field>
<description>Medusa ransom note $(win.eventdata.targetFilename) has been created in multiple directories. Possible Medusa ransomware detected.</description>
<mitre>
<id>T1486</id>
</mitre>
</rule>
<rule id="100017" level="15" timeframe="300" frequency="2" ignore="100">
<if_matched_sid>100015</if_matched_sid>
<if_sid>100013</if_sid>
<description>Possible Medusa ransomware detected.</description>
<mitre>
<id>T1486</id>
</mitre>
</rule>
</group>
Each rule plays a specific role in identifying suspicious behaviors commonly associated with Medusa ransomware attacks. Here's a breakdown:
taskkill. This can indicate attempts to disable security tools or essential services.net stop to shut down a system service. This is a common technique used by ransomware to disable protection layers or backups.!!!READ_ME_MEDUSA!!!.txt. This is a distinctive signature of the Medusa ransomware.
These rules work together to rapidly identify infection patterns. If multiple rules are triggered within seconds, it's a strong indicator that something serious (like a ransomware attack) is underway.
Once you've finished editing and saving the rule file, all that’s left is to restart the Wazuh manager so it loads the new custom rules: sudo systemctl restart wazuh-manager
And that’s it—your server is now ready to detect Medusa’s behavior from the moment it attempts to move within your network.
Once your custom rules are active and the environment is set up, it’s time to see how Wazuh detects a Medusa attack in real time. To review the alerts in the Wazuh dashboard, follow these simple steps:
Log in to the Wazuh dashboard.
Navigate to Threat Intelligence > Threat Hunting.
Click on + Add filter.
In the field labeled .rule.id, choose the operator is one of.
In the value field, enter or select the following rule IDs: 100013, 100015, 100016, 100017
These are the rules that detect:
Multiple processes being terminated (100013)
Multiple services being stopped (100015)
Ransom notes being created (100016)
Combined suspicious behaviors (100017)
Click Save to apply the filter.
Once saved, the dashboard will display all alerts triggered by these rules.
If alerts begin to appear, it means your detection rules are working correctly and the system is actively identifying suspicious Medusa-related activity.
Read more: How the SolarWinds Cyber Attack Worked: Lessons Learned
When ransomware manages to execute, it’s usually too late—the damage is done, files are encrypted, and system recovery becomes a nightmare. That’s why the goal is to detect and eliminate malicious files before they can run. Sounds ideal, right? Well, Wazuh makes this possible through a powerful preventive approach.
To prevent execution of malicious files, Wazuh recommends enabling pre-execution protection by combining its File Integrity Monitoring (FIM) module with tools like VirusTotal or YARA.
Here’s how it works:
Whenever a new file is created or downloaded, Wazuh calculates its hash.
It then checks this hash against known malware signatures in threat intelligence databases.
If a match or suspicious pattern is found, Wazuh triggers an automated response to delete the file—before it can be executed.
In this part of the lab, Wazuh configured its FIM module to monitor a specific directory. Every time a file is created or modified in that folder, the following happens:
FIM triggers a YARA scan of the file.
YARA evaluates the file using predefined detection rules designed to catch ransomware signatures.
If the file matches a known malicious pattern, Wazuh executes an Active Response script that automatically deletes the file.
This setup ensures that suspicious files are neutralized before they can initiate any encryption or spread across the network—cutting off Medusa (or any malware) before it even gets started.
In order for Wazuh to use YARA to detect malicious files on a Windows system, the endpoint needs to be properly set up. Here’s a detailed step-by-step guide to get everything ready:
Before starting, make sure you have the following installed:
Python 3.12.2 or later
It comes with pip by default.
During installation, be sure to check the box that says:
“Add python.exe to PATH” — this is essential to run scripts from any location.
Microsoft Visual C++ 2015 Redistributable
Required for certain components to function properly.
Tip: Run all the following commands from PowerShell as Administrator to avoid permission issues.
Download the latest YARA release using PowerShell: Invoke-WebRequest -Uri https://github.com/VirusTotal/yara/releases/download/v4.5.2/yara-v4.5.2-2326-win64.zip -OutFile yara.zip
Extract the contents of the ZIP archive: Expand-Archive yara.zip
Once these steps are completed, the YARA engine will be in place and ready to be triggered by Wazuh’s Active Response module whenever suspicious file activity is detected.
Now it’s time to download the actual YARA rules. To do this, you’ll use a small Python utility.
Use pip to install the Valhalla API client: pip install valhallaAPI
download_yara_rules.py and paste the following code into it:
Once the rules file is ready, move it to the correct location so Wazuh can access and use it.
Create the rules directory: mkdir 'C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\'
You already have your basic rules in place, but now let’s take a very useful step: adding a specific rule to detect Medusa ransomware. All you need to do is edit the YARA rule file you downloaded earlier. That file is located at:C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar
Open the file using your preferred text editor (it can be Notepad++, Visual Studio Code, or even the standard Notepad if you don't have another option), and paste the following rule at the end of the file.
rule Medusa_ransomware {
meta:
description = "Medusa Ransomware"
author = "Obinna Uchubilo"
reference = "https://github.com/Neo23x0/yarGen"
date = "2025-04-16"
hash1 = "3a6d5694eec724726efa3327a50fad3efdc623c08d647b51e51cd578bddda3da"
strings:
$s1 = "api-ms-win-core-synch-l1-2-0.dll" wide
$s2 = "powershell -executionpolicy bypass -File %s" ascii
$s3 = "powershell -Command \"& {%s}\"" ascii
$s4 = "cmd /c ping localhost -n 3 > nul & del %s" ascii
$s5 = "AppPolicyGetProcessTerminationMethod" ascii
$s6 = "preprocessing" ascii
$s7 = "G:\\Medusa\\Release\\gaze.pdb" ascii
$s8 = "kill_processes %s" ascii
$s9 = "<requestedExecutionLevel level='asInvoker' uiAccess='false' />" ascii
$s10 = "load_encryption_key: File open error" ascii
$s11 = "kill_services processes" ascii
$s12 = ":d or do not use preprocessing" ascii
$s13 = "Encryption system" ascii
$s14 = "VVVQVP" ascii
$s15 = ": option requires an argument -- " ascii
$s16 = "File is already encrypted." ascii
$s17 = ": illegal option -- " ascii
$s18 = "AppPolicyGetThreadInitializationType" ascii
$s19 = "encrypt %d %ls %ld" ascii
$s20 = "KVK.xKKOCmOZOBAI}XM.clk@J^AG@ZoIK@Z.c}}" ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and
8 of them
}
This rule looks for very specific indicators of Medusa: from PowerShell commands to error messages and file names. As soon as a file matches at least 8 of those strings, the alert is triggered!
One of the most common locations where suspicious files end up is the Downloads folder, so it's a good idea to keep it under close watch. To do this, you need to update the Wazuh agent configuration on your Windows endpoint.
Inside the <syscheck> block, add the following line: <directories realtime="yes">C:\Usuarios\*\Descargas</directories>
This tells the Wazuh agent to monitor the Downloads folder for every user in real time. It will automatically scan for any new or modified files, allowing Wazuh to detect (and ideally eliminate) files related to Medusa ransomware before they get a chance to run.
Once your YARA rules are ready, it’s time to put them to work. To do this, we'll create a batch script that scans suspicious files and deletes them if they match any malware rule—including the one for Medusa ransomware. This script will be executed automatically through Wazuh’s Active Response module.
Save the following content in a file named yara.bat inside this directory: C:\Program Files (x86)\ossec-agent\active-response\bin\
And here is the content of the script, explained in a simple way:
This script scans files with YARA and removes malicious looking files (like Medusa)
@echo off
setlocal enableDelayedExpansion
:: Detect if the system is 32 or 64 bits
reg query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && SET OS=32BIT || SET OS=64BIT
:: Define the path to the log file
if %OS%==32BIT (
SET log_file_path="%ProgramFiles%\ossec-agent\active-response\active-responses.log"
)
if %OS%==64BIT (
SET log_file_path="%ProgramFiles(x86)%\ossec-agent\active-response\active-responses.log"
)
:: We obtain the path to the file to be scanned
set input=
for /f "delims=" %%a in ('PowerShell -command "$logInput = Read-Host; Write-Output $logInput"') do (
set input=%%a
)
set json_file_path="C:\Program Files (x86)\ossec-agent\active-response\stdin.txt"
echo %input% > %json_file_path%
:: We extract the exact path of the file detected by Wazuh
FOR /F "tokens=* USEBACKQ" %%F IN (`Powershell -Nop -C "(Get-Content 'C:\Program Files (x86)\ossec-agent\active-response\stdin.txt' | ConvertFrom-Json).parameters.alert.syscheck.path"`) DO (
SET syscheck_file_path=%%F
)
:: Path to YARA executable and rules file
set yara_exe_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\yara64.exe"
set yara_rules_path="C:\Program Files (x86)\ossec-agent\active-response\bin\yara\rules\yara_rules.yar"
echo %syscheck_file_path% >> %log_file_path%
:: We scan the file and, if it matches, we delete it.
for /f "delims=" %%a in ('powershell -command "& \"%yara_exe_path%\" \"%yara_rules_path%\" \"%syscheck_file_path%\""') do (
echo wazuh-yara: INFO - Resultado del escaneo: %%a >> %log_file_path%
:: We delete the file
del /f "%syscheck_file_path%" >nul 2>&1
if exist "%syscheck_file_path%" (
echo wazuh-yara: INFO - Failed to remove threat: %%a >> %log_file_path%
) else (
echo wazuh-yara: INFO - Successfully eliminated %%a >> %log_file_path%
)
)
exit /b
Successfully removedAfter saving the script, restart the agent so that Wazuh can use it when it detects a suspicious file: Restart-Service -Name wazuh
Done! You now have an automated response that scans files with YARA and deletes any files that match dangerous patterns, such as those used by the Medusa ransomware.
In this article we saw step by step how to detect Medusa ransomware on a Windows computer using Wazuh. We leveraged the full power of Wazuh's analysis engine to create specific rules that help identify the typical behavior of this type of malware. We also explored how to use the FIM and Active Response module together with YARA to not only detect threats, but also act in real time and remove them before they cause damage.
Wazuh is an open-source and completely free security platform that gives you many tools to protect your infrastructure against modern threats. From monitoring and detection to automated responses, all in one place. If you want to learn more about how Wazuh can help you protect against malware, ransomware and other cyber-attacks, feel free to contact us. We can help you implement customized solutions, resolve questions or even explore specific use cases based on your environment.