Federal cybersecurity officials are raising red flags over a surge in attacks by the Medusa ransomware group. First detected in June 2021, the group has gained traction recently by using basic but effective methods — like phishing emails and exploiting outdated software — to break into systems and hold data hostage.
In a joint advisory released last week, the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) urged businesses and institutions to take immediate steps to protect their systems. The warning is part of the government’s ongoing #StopRansomware initiative.
A growing ransomware-as-a-service business
Originally a closed operation, Medusa has now adopted a ransomware-as-a-service (RaaS) model. This means the developers provide the ransomware software to partners, known as “Medusa actors,” who carry out the attacks. These affiliates are often recruited from online criminal forums and are sometimes paid bonuses to work exclusively for Medusa.
“Potential payments between $100 USD and $1 million USD are offered to these affiliates with the opportunity to work exclusively for Medusa,” the advisory said.
Medusa actors often gain access to systems through phishing emails or by exploiting known vulnerabilities, such as CVE-2024-1709, which affects the ScreenConnect remote access tool, and CVE-2023-48788, a flaw in Fortinet products. Once inside, they encrypt files and demand ransoms. The group’s ransom notes give victims 48 hours to respond via a live chat or encrypted messaging platform.
If a victim does not respond, Medusa actors may escalate their extortion efforts, a tactic observed in other ransomware groups.
What makes Medusa particularly menacing is its public-facing data-leak site, which displays victims alongside countdown timers. Once the timer runs out, stolen data is either released or sold to the highest bidder. In some cases, victims are given the option to buy extra time — a single day’s delay may cost as much as $10,000 in cryptocurrency.
“As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing,” the advisory notes.
Medusa’s reach is global; past victims include Minneapolis Public Schools, where an attack in 2023 exposed sensitive information from over 100,000 students.
How to protect your organization from Medusa ransomware
The advisory urges organizations to take several key steps to protect themselves from Medusa. These include:
- Ensuring that all operating systems, software, and firmware are regularly updated and patched.
- Implementing multi-factor authentication across all services.
- Using strong, unique passwords.
Additionally, CISA advises businesses to segment their networks to limit the spread of infections and filter network traffic to block unauthorized access attempts.
CISA is urging IT teams to review their #StopRansomware: Medusa Ransomware advisory for detailed detection methods and threat indicators.
