U.S. federal authorities have issued a joint cybersecurity advisory about the Medusa ransomware gang compromising over 300 critical infrastructure organizations.
“As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors,” the joint cybersecurity advisory stated.
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) jointly issued the advisory.
It listed Medusa’s tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs), and recommended mitigations to assist organizations prevent the group’s ransomware attacks.
Medusa ransomware attacks target over 300 critical infrastructure organizations
First detected in 2021, Medusa is a ransomware-as-a-service (RaaS) operation that applies common tactics such as phishing and exploiting security vulnerabilities.
It first launched as a closed ransomware operation but later adopted the affiliate model where affiliates deploy Medusa ransomware and earn commissions of between 70% to 80% after victims pay the ransom. Medusa demands ransoms range between $100,000 and $15 million, but sometimes exceed $40 million, according to BlackFog.
Within two years, the cyber gang had gained notoriety by targeting numerous organizations across the world. By December 2024, Medusa ransomware had impacted over 300 critical infrastructure organizations. In January 2025, the ransomware group ranked ninth according to the NCC Group, and accounted for 9% of all ransomware attacks reported by BlackFog in 2024.
According to the joint advisory, critical infrastructure organizations targeted by Medusa ransomware attacks include medical, education, legal, insurance, technology, and manufacturing.
“Critical infrastructure remains a prime target for threat actors because of its essential role in every day life and potential for widespread disruption,” said Nick Tausek, Lead Security Automation Architect at Swimlane. “Over the past year, we’ve seen relentless attacks on healthcare organizations, water facilities, and power grids.”
Notable Medusa ransomware victims the gang has claimed include Aurora City in Colorado, Heartland Health Center in Nebraska, Bell Ambulance in Wisconsin, Customer Management Systems, British printer CPI Books, and South Carolina’s Laurens School District 56.
The joint advisory states that Medusa employs double extortion tactics by encrypting devices and threatening to leak sensitive information online to force victims to pay the ransom. In one case, the cyber gang demanded an additional payment of half the ransom to provide a “true decryptor,” claiming that the ransom negotiator had absconded with the amount paid, suggesting triple extortion.
“Ransomware operators like Medusa focus on gaining leverage to extort organizations, making critical infrastructure entities prime targets due to their heightened motivation to maintain uninterrupted services,” said Jon Miller, CEO & Co-founder of the cyber resilience platform Halcyon.
The FBI, CISA, and MS-ISAC found that Medusa recruits initial access brokers (IAB) from underground hacking forums to obtain initial access and pays them between $100 and $1 million to work exclusively for the operation.
It also uses phishing campaigns as the primary method to obtain user credentials to gain access and compromise critical infrastructure organizations.
Similarly, the group exploits unpatched software vulnerabilities, such as the ScreenConnect vulnerability CVE-2024-1709 and Fortinet EMS SQL injection vulnerability CVE-2023-48788 to compromise critical infrastructure organizations.
After gaining access, Medusa uses various software tools such as AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop and Windows services such as Remote Desktop Protocol (RDP) and PsExec for lateral movement.
The ransomware gang operators also uses Rclone to exfiltrate data to the threat actor-controlled command-and-control (C2) servers and utilizes Sysinternals PsExec, PDQ Deploy, or BigFix to deploy the encryptor, gaze.exe.
During the encryption process, it disables Windows Defender and other anti-virus software, terminates all backup, communication, website, and file-sharing services, and deletes shadow copies to make recovery without paying a ransom virtually impossible.
Sometimes, Medusa also stops and encrypts virtual machines and deletes their installed tools. The ransomware gang encrypts files with an AES-256 symmetric encryption algorithm and attaches a .medusa file extension.
“Medusa’s encryption process is designed to inflict maximum operational disruption. The ransomware can terminate over 200 Windows services and processes, including those related to security software, to facilitate encryption,” Miller added.
Finally, the ransomware gang drops a ransom note that demands contact within 48 hours via a Tor browser-based live chat, Tox, or end-to-end encrypted instant-messaging platform. If the victim fails to respond, it contacts them via phone or email.
Concurrently, the gang posts ransom demands on a .onion data leak site with cryptocurrency addresses and a countdown timer showing the remaining time before the stolen data is published online.
During this time, Medusa advertises the stolen data for sale and offers the victim the opportunity to extend the deadline by one day by paying $10,000.
CISA publishes mitigations against Medusa ransomware attacks
The FBI, CISA, and MS-ISAC advised critical infrastructure organizations to apply recommended mitigations to prevent Medusa ransomware attacks.
“The recent CISA/FBI advisory is a reminder of the persistence of Medusa ransomware and the overall scourge impacting hundreds of global organizations,” said Dan Lattimore, Semperis AVP. “Defenders have their hands full tackling the presence of Medusa and the mitigation recommendations that include deploying software patches, network segmentation, and blocking access to services from unknown or untrusted sources will help organizations improve their operational resilience.”
The FBI, CISA, and MS-ISAC recommended patching operating system, software, and firmware security vulnerabilities within a reasonable time to prevent exploitation.
Additionally, critical infrastructure organizations should implement network segmentation to limit lateral movement if a threat actor compromises a network-connected device. They should also block connections from unknown IP addresses and unknown regions by implementing network filtering.
Other mitigations include enabling multi-factor authentication (MFA), enforcing NIST standard passwords, implementing a recovery plan, auditing accounts, maintaining offline backups, encrypting data, reviewing domain controllers and active directories for unknown accounts, and monitoring access attempts.
“This advisory serves as a crucial reminder, particularly for organizations in the critical infrastructure sector, that a proactive security posture is no longer an option, but essential. By leveraging AI-driven security automation, security teams can centralize threat detection, identify anomalies before they escalate, and accelerate response efforts,” Tausek concluded.
