Federal cybersecurity officers are elevating pink flags over a surge in assaults by the Medusa ransomware group. First detected in June 2021, the group has gained traction not too long ago through the use of fundamental however efficient strategies — like phishing emails and exploiting outdated software program — to interrupt into techniques and maintain knowledge hostage.
In a joint advisory launched final week, the FBI, Cybersecurity and Infrastructure Safety Company (CISA), and the Multi-State Info Sharing and Evaluation Middle (MS-ISAC) urged companies and establishments to take speedy steps to guard their techniques. The warning is a part of the federal government’s ongoing #StopRansomware initiative.
A rising ransomware-as-a-service enterprise
Initially a closed operation, Medusa has now adopted a ransomware-as-a-service (RaaS) mannequin. This implies the builders present the ransomware software program to companions, generally known as “Medusa actors,” who perform the assaults. These associates are sometimes recruited from on-line legal boards and are typically paid bonuses to work solely for Medusa.
“Potential funds between $100 USD and $1 million USD are supplied to those associates with the chance to work solely for Medusa,” the advisory mentioned.
Medusa actors usually achieve entry to techniques by way of phishing emails or by exploiting identified vulnerabilities, equivalent to CVE-2024-1709, which impacts the ScreenConnect distant entry instrument, and CVE-2023-48788, a flaw in Fortinet merchandise. As soon as inside, they encrypt information and demand ransoms. The group’s ransom notes give victims 48 hours to reply by way of a stay chat or encrypted messaging platform.
If a sufferer doesn’t reply, Medusa actors might escalate their extortion efforts, a tactic noticed in different ransomware teams.
What makes Medusa significantly menacing is its public-facing data-leak web site, which shows victims alongside countdown timers. As soon as the timer runs out, stolen knowledge is both launched or bought to the best bidder. In some instances, victims are given the choice to purchase additional time — a single day’s delay might value as a lot as $10,000 in cryptocurrency.
“As of February 2025, Medusa builders and associates have impacted over 300 victims from quite a lot of essential infrastructure sectors with affected industries together with medical, schooling, authorized, insurance coverage, know-how, and manufacturing,” the advisory notes.
Medusa’s attain is international; previous victims embrace Minneapolis Public Colleges, the place an assault in 2023 uncovered delicate data from over 100,000 college students.
Easy methods to shield your group from Medusa ransomware
The advisory urges organizations to take a number of key steps to guard themselves from Medusa. These embrace:
- Making certain that each one working techniques, software program, and firmware are recurrently up to date and patched.
- Implementing multi-factor authentication throughout all companies.
- Utilizing sturdy, distinctive passwords.
Moreover, CISA advises companies to section their networks to restrict the unfold of infections and filter community site visitors to dam unauthorized entry makes an attempt.
CISA is urging IT groups to assessment their #StopRansomware: Medusa Ransomware advisory for detailed detection strategies and risk indicators.
