Medusa ransomware, a Ransomware-as-a-Service (RaaS) operation, has had a significant impact on over 300 organizations in critical infrastructure sectors across the United States, as of February 2025. The FBI, CISA, and MS-ISAC released a joint advisory highlighting the sectors affected, which include medical, education, legal, insurance, technology, and manufacturing. The advisory urges organizations to take immediate action by following mitigation strategies to reduce the risk of these attacks.
Medusa ransomware first surfaced in early 2021, but it wasn’t until 2023 that it began to gain traction, with the launch of a data leak site designed to pressure victims into paying ransoms by threatening to release stolen information.
The Medusa ransomware gang operates on a RaaS model, recruiting affiliates through cybercriminal forums and offering payments ranging from $100 to $1 million for initial access to victims.
Affiliates use phishing campaigns and exploit known vulnerabilities to infiltrate systems, with a focus on vulnerabilities like CVE-2024-1709 and CVE-2023-48788. Once they gain access to a network, the attackers leverage tools like Advanced IP Scanner, SoftPerfect Network Scanner, and PsExec to move laterally through the organization’s network. Medusa ransomware also employs living-off-the-land (LOTL) techniques such as PowerShell and Windows Management Instrumentation (WMI) to gather system information and further their reconnaissance efforts.
Medusa operators also rely on techniques to evade detection, such as deleting command history, using obfuscated PowerShell scripts, and employing certutil.exe for file ingress. These methods help them avoid security detection while moving freely within networks. In addition, they target critical infrastructure sectors by encrypting files with AES-256 encryption, disabling backups, and demanding a ransom payment in cryptocurrency. Medusa’s ransomware operations have adopted a double extortion model, where victims are not only forced to pay for the decryption of their files, but are also pressured by threats of further data leaks.
These demands are usually made through an encrypted messaging platform like Tor or Tox.
The gang operates a .onion data leak site to further the extortion process, posting stolen data, ransom demands, and countdown timers to pressure victims. The website also advertises the sale of stolen data to interested buyers before the deadline passes. In some cases, victims who paid the ransom were contacted by a different Medusa actor, who claimed that the ransom had been stolen and demanded additional payments for the “true decryption key,” signaling a potential triple extortion scheme.
The advisory issued by the FBI, CISA, and MS-ISAC provides important mitigation steps, including patching software vulnerabilities, segmenting networks, and blocking remote access from untrusted sources. These steps are vital for organizations to protect themselves from further incidents and reduce the likelihood of Medusa attacks in the future.
Reference:
