Medusa attacks Principle Cleaning Services

Incident Date:

April 23, 2024

World map



Medusa attacks Principle Cleaning Services


Principle Cleaning Services




London, United Kingdom

Greater London, United Kingdom

First Reported

April 23, 2024

The Medusa Ransomware Group Strikes Principle Cleaning Services


The Medusa ransomware group has reportedly compromised Principle Cleaning Services, a provider of corporate and commercial cleaning in London. Founded in 1989, Principle Cleaning Services has been an employee-owned company since 2023. The group has demanded a ransom of $1,000,000 and claims to have exfiltrated 220.58 GB of sensitive data, including invoices, personal documents, and employees’ data. A ransom deadline of 1 May has been set.

Medusa Ransomware Group

Medusa is a Ransomware-as-a-Service (RaaS) that emerged in the summer of 2021 and has become one of the more active RaaS platforms. The group's attack volumes were inconsistent in the first half of 2023 but saw a resurgence in the last half of the year. Medusa employs various tactics to avoid detection, such as restarting infected machines in safe mode, deleting local backups, disabling startup recovery options, and deleting VSS Shadow Copies to prevent encryption rollback.

Recent Activity

In the latter part of 2022, Medusa intensified its attacks and remained active in the first quarter of 2023. However, the group's activity seems to have decreased in the second quarter. Medusa typically demands ransoms in the millions of dollars, with the amount varying based on the target organization's financial capacity.

Modus Operandi

Medusa typically infiltrates victim networks through malicious email attachments (macros), torrent websites, or malicious ad libraries. The group can terminate over 280 Windows services and processes without command line arguments. While there may be a Linux version, it is currently unclear. Medusa targets various industries, with a focus on healthcare, pharmaceutical companies, and public sector organizations. The group also employs a double extortion scheme, exfiltrating data before encrypting it. However, Medusa is not as generous with its affiliate attackers, offering only up to 60% of the ransom if paid.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.