Threat Intelligence Tarot
Vol. II · 134
Criminal (RaaS)
risk 4/5
The Petrifying Gaze
Medusa
MedusaLocker-distinct · Medusa Blog
EducationManufacturingHealthcareTechnologyPublic sector
Active since ~2021 · Extortion, Financial gain
The Petrifying Gaze does not negotiate behind closed doors. It posts the countdown publicly, freezes the victim's resolve with each passing hour, and lets the watchers vote on the outcome.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1486
Data Encrypted for Impact
Impact
T1490
Inhibit System Recovery
Impact
T1078
Valid Accounts
Persistence
T1133
External Remote Services
Initial Access
T1489
Service Stop
Impact
T1567.002
Exfiltration to Cloud Storage
Exfiltration
Notable Operations
  • Minneapolis Public Schools breach and data leak (2023)
  • Toyota Financial Services intrusion (2023)
  • Public Medusa Blog data-leak site with countdown timers
  • CISA #StopRansomware joint advisory (AA25-071A, 2025)
Defenses
  • Leak-site monitoring as supplementary breach detection
    NIST CSF: DE.CM
  • Phishing-resistant MFA on all remote access and VPN gateways
    NIST SP 800-63B
  • Immutable backups segregated from production credentials
    CIS Control 11
  • Public-facing application patch SLAs with priority on known-exploited CVEs
    CISA KEV Catalog
Reversed: Their Weakness
Public leak sites are a double edge — defenders monitoring them can detect breaches their own SOCs missed. Cross-organizational subscription to leak-site feeds turns the operator's theatre into early warning.

Share this adversary profile

Compare →

swipe to browse

← PreviousThe Crowned LockNext →The Incorporated Hunger
Related Adversaries
The National Brownout
Brain Cipher
4 shared TTPs
The Self-Encrypting Thorn
Cactus
4 shared TTPs
The Loud Shame
8Base
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.