The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), issued a joint advisory revealing the significant impact of the Medusa ransomware operation.
The advisory states that by February 2025, Medusa and its affiliates had compromised over 300 organizations across various critical infrastructure sectors in the United States.
Affected industries include medical, education, legal, insurance, technology, and manufacturing. This underscores the ransomware’s broad reach and the potential for widespread disruption across essential services.
The advisory strongly urges organizations to take immediate action to enhance their security posture and mitigate the risk of similar attacks. For a deeper dive into ransomware threats, see our article on Top 10 Ransomware Groups of 2024.
“As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing,” the advisory warns.
“FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents.”
The advisory provides crucial mitigation strategies for organizations to bolster their defenses against Medusa ransomware attacks. These include:
- Patching: Mitigate known security vulnerabilities by ensuring operating systems, software, and firmware are patched promptly.
- Network Segmentation: Segment networks to limit the potential spread of infection should a device become compromised. This helps contain the attack and prevents lateral movement within the organization’s network.
- Network Traffic Filtering: Filter network traffic by blocking access from unknown or untrusted sources to remote services on internal systems.
Medusa ransomware first appeared in January 2021 but significantly escalated its activity in 2023. The group operates a leak site, the Medusa Blog, to pressure victims into paying ransoms by threatening to publicly release stolen data.
The group has claimed over 400 victims worldwide. In March 2023, Medusa claimed responsibility for an attack on the Minneapolis Public Schools (MPS) district, and in November 2023, it leaked data allegedly stolen from Toyota Financial Services after a failed $8 million ransom negotiation. This incident caused a data breach, and Toyota had to notify its customers.
Medusa initially operated as a closed ransomware variant, but it has since transitioned to a Ransomware-as-a-Service (RaaS) model, recruiting affiliates through cybercriminal forums.
“Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain initial access to potential victims,” the advisory explains.
“Potential payments between 100USDand100 USD and 100USD and 1 million USD are offered to these affiliates with the opportunity to work exclusively for Medusa.”
It is important to note that the name “Medusa” is used by multiple malware families. This includes a Mirai-based botnet with ransomware capabilities and an Android malware-as-a-service (MaaS) operation. This has led to some confusion in reporting, with some mistakenly associating Medusa with the MedusaLocker ransomware operation; however, these are distinct entities.
This advisory from CISA, FBI, and MS-ISAC serves as a critical warning to organizations across all sectors, highlighting the persistent and evolving threat of ransomware attacks. The recommendations provided are essential steps in mitigating the risk of becoming a victim.
Helpful Reads: