Medusa Ransomware Hits Critical Infrastructure

The Medusa ransomware has affected more than 300 organisations in critical infrastructure in the US alone from 2021 up to last month, the Cybersecurity and Infrastructure Security Agency (CISA) said in a joint advisory with the FBI and the Multi-State Information Sharing Analysis Centre (MS-ISAC).

The organisations affected have been in a range of critical sectors, including healthcare, technology and manufacturing, CISA said.

The group’s developers demand ransoms of $100,000 (£77,000) to $15 million, in so-called double-extortion attacks in which organisations are pressured to both restore encrypted data and prevent exfiltrated data from being published online.

Critical infrastructure

“As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing,” the advisory said.

“FBI, CISA, and MS-ISAC encourage organisations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents.”

Symantec’s Threat Hunter group earlier this month that warned of an increase in Medusa attacks.

Symantec said Medusa attacks jumped 42 percent from 2023 to 2024, with almost twice as many incidents attributed to the group in January and February compared to the same period a year earlier.

Medusa began as a form of malware controlled by its developers, before evolving into a ransomware-as-a-service model, but the developers continue to play an active role in essential operations including ransom negotiations.

Affiliate system

The developers recruit initial access brokers in cybercrime forums and marketplaces to obtain initial access to potential victims, offering brokers up to $1m to work exclusively for Medusa, CISA’s advisory said.

Security researcher BlackFog said Medusa accounted for 5 percent of all ransomware attacks last year, taking third place amongst the most prevalent ransomware variants.

BlackFog said data exfiltration is now used in 94 percent of ransomware attacks.

CISA urged organisations to mitigate ransomware by patching known security vulnerabilities, segmenting networks and filtering network traffic to block access from unknown or untrusted origins to remote services on internal systems.