Federal cybersecurity officers are elevating crimson flags over a surge in assaults by the Medusa ransomware group. First detected in June 2021, the group has gained traction lately by utilizing fundamental however efficient strategies — like phishing emails and exploiting outdated software program — to interrupt into methods and maintain knowledge hostage.
In a joint advisory launched final week, the FBI, Cybersecurity and Infrastructure Safety Company (CISA), and the Multi-State Data Sharing and Evaluation Middle (MS-ISAC) urged companies and establishments to take instant steps to guard their methods. The warning is a part of the federal government’s ongoing #StopRansomware initiative.
A rising ransomware-as-a-service enterprise
Initially a closed operation, Medusa has now adopted a ransomware-as-a-service (RaaS) mannequin. This implies the builders present the ransomware software program to companions, often known as “Medusa actors,” who perform the assaults. These associates are sometimes recruited from on-line prison boards and are typically paid bonuses to work completely for Medusa.
“Potential funds between $100 USD and $1 million USD are supplied to those associates with the chance to work completely for Medusa,” the advisory mentioned.
Medusa actors typically achieve entry to methods via phishing emails or by exploiting identified vulnerabilities, reminiscent of CVE-2024-1709, which impacts the ScreenConnect distant entry software, and CVE-2023-48788, a flaw in Fortinet merchandise. As soon as inside, they encrypt recordsdata and demand ransoms. The group’s ransom notes give victims 48 hours to reply by way of a stay chat or encrypted messaging platform.
If a sufferer doesn’t reply, Medusa actors could escalate their extortion efforts, a tactic noticed in different ransomware teams.
What makes Medusa notably menacing is its public-facing data-leak website, which shows victims alongside countdown timers. As soon as the timer runs out, stolen knowledge is both launched or offered to the best bidder. In some instances, victims are given the choice to purchase further time — a single day’s delay could value as a lot as $10,000 in cryptocurrency.
“As of February 2025, Medusa builders and associates have impacted over 300 victims from a wide range of crucial infrastructure sectors with affected industries together with medical, training, authorized, insurance coverage, know-how, and manufacturing,” the advisory notes.
Medusa’s attain is world; previous victims embody Minneapolis Public Faculties, the place an assault in 2023 uncovered delicate info from over 100,000 college students.
Easy methods to shield your group from Medusa ransomware
The advisory urges organizations to take a number of key steps to guard themselves from Medusa. These embody:
- Making certain that every one working methods, software program, and firmware are recurrently up to date and patched.
- Implementing multi-factor authentication throughout all companies.
- Utilizing robust, distinctive passwords.
Moreover, CISA advises companies to phase their networks to restrict the unfold of infections and filter community site visitors to dam unauthorized entry makes an attempt.
CISA is urging IT groups to evaluation their #StopRansomware: Medusa Ransomware advisory for detailed detection strategies and risk indicators.
