DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

Severing Medusa's Head: The Definitive Analysis of the Ransomware Group That Named Itself After a Monster

Patrick Duggan
Mar 7
6 min read

# Severing Medusa's Head: The Definitive Analysis of the Ransomware Group That Named Itself After a Monster

In Greek mythology, Perseus didn't fight Medusa by looking at her directly. He used a mirrored shield — Athena's gift — to see her reflection. Then he cut her head off and used it as a weapon.

We built the mirror. Now we're handing out the severed heads.

What Medusa Is

Medusa is a ransomware-as-a-service (RaaS) operation first identified in June 2021. It started as a closed variant — one crew, one codebase, one operation. By 2023, it had evolved into an affiliate model: developers build the tools, affiliates conduct the attacks, everyone splits the ransom.

As of March 2026, Medusa has claimed more than 500 victims across critical infrastructure. Over 300 confirmed by the FBI. Average ransom demand: $260,000. Healthcare, education, legal, insurance, manufacturing — they don't discriminate.

The FBI, CISA, and MS-ISAC issued joint advisory AA25-071A on March 12, 2025. A year later, the snake is still biting.

What Changed in 2026: Lazarus Enters the Chat

In February 2026, Symantec and Carbon Black published a joint investigation that changed the threat model. The North Korean state-sponsored Lazarus Group — also known as Diamond Sleet, Pompilus, and about fifteen other names depending on which vendor is trying to sell you something — deployed Medusa ransomware against an organization in the Middle East. They also attempted an attack on a U.S. healthcare organization.

Read that again. A nation-state APT is using a criminal ransomware-as-a-service platform.

This is the convergence point the industry has been warning about for five years while doing nothing about it. Nation-state capability. Criminal infrastructure. Plausible deniability baked into the affiliate model. You can't attribute Lazarus when they're hiding inside an ecosystem that deliberately blends multiple actor sets.

Symantec's assessment: DPRK-linked activity is shifting away from bespoke ransomware like Maui toward established RaaS ecosystems. They're not building their own anymore. They're buying seats at the table.

The implication: every Medusa affiliate attack now carries the question — was this a criminal, or was this Pyongyang funding its missile program through your hospital's encrypted patient records?

The Kill Chain

Medusa's attack chain is textbook — which is what makes it preventable. They're not using zero-days. They're using your negligence.

Initial Access

Two vectors. Both embarrassing.

**Phishing (T1566):** Medusa developers recruit initial access brokers (IABs) from cybercriminal forums. These brokers specialize in stealing credentials through phishing campaigns. They sell access to compromised environments for a percentage of the eventual ransom.

**Unpatched Vulnerabilities (T1190):** The two CVEs they love most:

- **CVE-2024-1709** — ScreenConnect authentication bypass. ConnectWise patched this in February 2024. If you still haven't patched it, Medusa thanks you.

- **CVE-2023-48788** — Fortinet EMS SQL injection. Fortinet patched this in March 2024. If your FortiClient EMS is still exposed, you deserve what's coming. (You don't, actually. Your patients don't. Patch your systems.)

Lateral Movement

Once inside, Medusa moves laterally using tools that are already on your network:

- **RDP (T1021.001)** — Remote Desktop Protocol. The gift that keeps on giving.

- **PsExec (T1569.002)** — Sysinternals. Microsoft's own tool, weaponized.

- **WMI (T1047)** — Windows Management Instrumentation.

- **PowerShell (T1059.001)** — The Swiss Army knife of living off the land.

They also use Advanced IP Scanner and SoftPerfect Network Scanner for enumeration. Legitimate tools. Your EDR probably whitelisted them.

Deployment

The encryptor — `gaze.exe` — is deployed across networks via PsExec, PDQ Deploy, or BigFix. Encrypted files get the `.medusa` extension. Then you get the note.

The Note

They open with ASCII art. They tell you they've penetrated your network, copied your data, encrypted your files. They threaten to post your data on their leak site, send emails to your customers, blast it across Telegram, Facebook, and Twitter.

They give you three days before they post to their blog. Five days before they go full public.

The ransom note filename: `!!!READ_ME_MEDUSA!!!.txt`

Subtle.

The Infrastructure — Severed Heads

Here's what you block. Today. Right now.

Command & Control

| Type | Indicator | Context |

|------|-----------|---------|

| Tor Blog | `medusaxko7jxtrojdkxo66j7ck4q5tgktf7uqsqyfry4ebnxlcbkccyd.onion` | Leak site / shame blog |

| Tor Chat | `medusakxxtp3uo7vusntvubnytaph4d3amxivbggl3hnhpk2nmus34yd.onion` | Victim negotiation portal |

| Email | `[email protected]` | Alternate contact |

| Tox ID | `4AE245548F2A225882951FB14E9BF87EE01A0C10AE159B99D1EA62620D91A372205227254A9F` | Secure chat fallback |

| C2 IP | `134.122.13.34` | Identified C2 server |

| C2 Domain | `avg.domaininfo.top` | Post-exploitation / BeyondTrust abuse |

File Indicators

| Type | Indicator | Context |

|------|-----------|---------|

| Encryptor | `gaze.exe` | Medusa payload binary |

| Extension | `.medusa` | Encrypted file extension |

| Ransom Note | `!!!READ_ME_MEDUSA!!!.txt` | Primary ransom note |

| Ransom Note | `!!!READ_ME_MEDUSA!!!_2.txt` | Secondary variant |

| SHA1 | `28df16894a6732919c650cc5a3de94e434a81d80` | Known payload hash |

| Registry | `SOFTWARE\Medusa` | Persistence mechanism |

Sigma Detection

Hunt for `vssadmin delete shadows`, `bcdedit /set {default} recoveryenabled No`, and `wbadmin delete systemstatebackup` in your endpoint telemetry. These are the shadow copy deletion commands that precede encryption. If you see them, you're already in the blast radius.

MITRE ATT&CK Mapping

| Tactic | Technique | Description |

|--------|-----------|-------------|

| Initial Access | T1566 | Phishing via IABs |

| Initial Access | T1190 | Exploit public-facing apps (ScreenConnect, FortiEMS) |

| Execution | T1059.001 | PowerShell |

| Execution | T1059.003 | Windows Command Shell |

| Execution | T1047 | WMI |

| Persistence | T1569.002 | PsExec service execution |

| Discovery | T1046 | Network scanning (Advanced IP Scanner, SoftPerfect) |

| Lateral Movement | T1021.001 | RDP |

| Defense Evasion | T1070.003 | Clear PowerShell history |

| Impact | T1486 | Data encrypted for impact |

| Impact | T1657 | Financial theft (double extortion) |

The Victim Count

Since November 2025, Medusa's leak site has listed approximately 30 new victim organizations. Of these:

- 4 are healthcare and nonprofit organizations in the U.S.

- One is a non-profit in the mental health sector

- One is an educational facility for autistic children

- A Japanese hospital (Shiraume Toyooka) confirmed a Medusa attack on March 1, 2026

- Acme Truck Line, Inc. and Shaft Drillers International posted to the shame site this week

- International Planning Group (insurance brokerage) was claimed last week

They hit a school for autistic children. Let that sink in.

500+ total claimed victims. 366 confirmed ransomware deployments. 40+ healthcare organizations. The group that named itself after a monster is living up to the brand.

Why We Named Our Product MEDUSA

We named our enterprise security platform MEDUSA because of what Perseus did with the head after he cut it off.

He didn't throw it away. He mounted it on Athena's shield — the Aegis — and used it as a weapon. Anyone who looked at it turned to stone.

That's our product. Eight modules, each one a severed capability:

- **GORGON** — Document intelligence engine. Ingest any corpus. 11M+ documents indexed.

- **CARVER** — Military targeting methodology. 7/7 predictions validated by Congress.

- **OZ** — Autonomous threat decisions. 2M+ block/allow decisions without a human in the loop.

- **STIX** — Threat feed. 938K+ IOCs. 275+ consumers in 46 countries. Microsoft, AT&T, Starlink pulling daily.

- **BLOOM** — Entity resolution across datasets.

- **PRECOG** — Predictive intelligence.

- **OFFSHORE** — Financial tracing. 5.3M ICIJ records cross-referenced.

- **STONE** — Accountability engine. 16 statues. 4 charged or arrested. 9 resigned.

The ransomware group chose the name because it sounds scary. We chose it because we know how the myth ends. Perseus wins. The head becomes a shield. The monster's own power is turned against it.

Every IOC in this post is in our STIX feed. Every hash, every IP, every domain. Block them with the monster's own severed infrastructure.

What You Should Do Right Now

1. **Patch ScreenConnect and FortiClient EMS.** Today. Not tomorrow. Not after the change window. Today.

2. **Block the IOCs above** at your firewall, proxy, and DNS level.

3. **Hunt for `!!!READ_ME_MEDUSA!!!.txt`** across all endpoints.

4. **Hunt for `gaze.exe`** and the SHA1 hash in your EDR.

5. **Monitor for shadow copy deletion** — `vssadmin`, `bcdedit`, `wbadmin` commands.

6. **Require phishing-resistant MFA** on all externally facing services. FIDO2 keys, not SMS.

7. **Segment your network.** If Medusa gets one machine, make sure they can't PsExec to every other one.

8. **Subscribe to our STIX feed.** 938K+ IOCs, updated continuously. Free.

The Math That Matters

Medusa's average ransom demand: $260,000.

Our STIX feed subscription: Free.

A FIDO2 security key: $25.

Patching ScreenConnect: $0.

The entire CISA advisory, the IOCs, the TTPs, the kill chain — it's all public. The information to prevent every single Medusa attack exists, for free, right now. The problem has never been intelligence. The problem is that organizations treat patching like a quarterly activity and MFA like an inconvenience.

Medusa doesn't exploit zero-days. Medusa exploits procrastination.

*DugganUSA LLC — Minnesota. One name on the line, no hiding behind a foundation.*

*Free STIX/TAXII Feed: https://analytics.dugganusa.com*

*Epstein Files Search: https://epstein.dugganusa.com*

*CISA Advisory AA25-071A: https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a*

*Support the mission: https://epstein.dugganusa.com/donate*

*Sources: FBI/CISA/MS-ISAC Joint Advisory AA25-071A, Symantec Threat Intelligence (Feb 2026), Carbon Black Threat Hunter Team, ThreatLabz Ransomware Notes Repository, Picus Security, The Hacker News, The Register, SecurityAffairs, Industrial Cyber, HIPAA Journal*

*Her name was Renee Nicole Good.*

*His name was Alex Jeffery Pretti.*