The Cybersecurity and Infrastructure Security Agency (CISA) has raised alarm over the Medusa ransomware, noting its impact on more than 300 different organizations within the critical infrastructure sectors of the United States. This information comes from a joint advisory released today with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
As of February 2025, CISA revealed that "Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors," affecting industries such as health care, education, legal services, insurance, technology, and manufacturing. The warning underscores the pressing nature of the threat, urging entities to take proactive measures in their cybersecurity practices.
"Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors,"
"FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents," specialists stated in the advisory.
"FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents,"
To bolster defenses against Medusa, CISA has offered specific recommendations. These include filtering network traffic to block untrusted access to internal services, segmenting networks to limit lateral movement among infected devices, and promptly addressing known vulnerabilities in systems by ensuring that all operating system, software, and firmware patches are up to date.
Emerging initially in January 2021, the Medusa ransomware operation saw a substantial uptick in activity by 2023. This year also marked the launch of the Medusa Blog leak site, designed to compel victims into paying ransoms by exposing compromised data. Originally, Medusa operated as a more centralized model before evolving into a Ransomware-as-a-Service (RaaS) framework, where affiliates contribute to the operation while the core developers maintain control over critical functions such as ransom negotiations.
"Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain initial access to potential victims," experts explained. "Potential payments between $100 USD and $1 million USD are offered to these affiliates, providing them the opportunity to work exclusively for Medusa."
"Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain initial access to potential victims,"
Championship Implications
However, the landscape of cybercrime associated with the name Medusa can be confusing. Several operations, such as a Mirai-based botnet with ransomware capabilities and a malware-as-a-service operation known as TangleBot, use the Medusa name, which often leads to misunderstandings in reporting. Importantly, this Medusa is distinct from the well-known MedusaLocker ransomware operation.
The frequency of Medusa ransomware attacks has surged dramatically since its inception. The gang has claimed responsibility for over 400 global victims, garnering significant media attention with its attacks on critical targets. In March 2023, they attacked the Minneapolis Public Schools district, making headlines by releasing a video showcasing stolen data.
Moreover, in November 2023, Medusa reportedly leaked sensitive information from Toyota Financial Services after the company refused to comply with an $8 million ransom demand and informed customers of a data breach.
Data from Symantec's Threat Hunter Team indicates a stark rise in Medusa attacks, noting a 42% increase between 2023 and 2024, with the trend continuing to escalate into 2025. "Almost twice as many Medusa attacks were observed in January and February 2025 than during the same period in 2024," they stated last week.
"Almost twice as many Medusa attacks were observed in January and February 2025 than during the same period in 2024,"
One month ago, CISA and the FBI issued a warning regarding the ongoing threat posed by this ransomware, highlighting the importance of organizational preparedness in the face of a persistent cybersecurity risk.
The Medusa ransomware operation serves as a sobering reminder of the vulnerabilities that persist within critical infrastructure sectors. As ransomware tactics evolve and become increasingly sophisticated, organizations are called upon to enhance their cybersecurity posture in a rapidly changing threat landscape.