Medusa Ransomware Escalates Attacks on Critical Infrastructure, Warns CISA and FBI
The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a #StopRansomware advisory to alert organizations about the increasing threat of Medusa ransomware.
Medusa Ransomware Escalates Attacks on Critical Infrastructure, Warns CISA and FBI
The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a #StopRansomware advisory to alert organizations about the increasing threat of Medusa ransomware.
Medusa: A Growing Ransomware Threat
First detected in 2021, Medusa ransomware operates as a ransomware-as-a-service (RaaS) model, allowing affiliates to launch attacks across multiple industries. The ransomware has compromised over 300 victims globally, particularly targeting healthcare, law, education, insurance, technology, and manufacturing sectors.
From Closed Operations to Affiliate-Based Attacks
Originally, Medusa was a closed-group ransomware, with its developers handling all operations. Over time, it transitioned into an affiliate-based model, where external cybercriminals carry out the attacks. However, key functions like ransom negotiations remain under the developers’ control.
Ransom demands range from $100,000 to $15 million, and Medusa employs double extortion tactics, stealing sensitive data before encrypting victims' networks to increase pressure for payment.
How Medusa Gains Access to Networks
Medusa developers rely on Initial Access Brokers (IABs)—cybercriminals who sell access to compromised networks on dark web marketplaces. These brokers are offered payments ranging from $100 to $1 million to work exclusively with Medusa.
Medusa affiliates use various methods to infiltrate networks, including:
- Phishing campaigns
- Exploiting known vulnerabilities
- Living-off-the-land (LotL) techniques (leveraging legitimate system tools to evade detection)
- Reconnaissance, data exfiltration, and lateral movement within compromised systems
Ransomware Surge and Industry Response
Cybersecurity experts, including Symantec’s Threat Hunter team, have reported a significant increase in Medusa ransomware incidents over the past year.
According to Dan Lattimer, Semperis Area Vice President for the UK & Ireland, organizations must strengthen their security posture through:
- Timely software patching
- Network segmentation
- Blocking access from untrusted sources
Lattimer also emphasized the importance of an "assumed breach" mindset, where organizations operate under the expectation that a compromise is inevitable, shifting the focus toward rapid detection, response, and recovery instead of just prevention.
Key Takeaways for Organizations
- Medusa ransomware is expanding its reach, using double extortion to pressure victims into paying large ransoms.
- Affiliates gain network access through phishing and exploiting vulnerabilities, aided by Initial Access Brokers.
- Organizations should adopt proactive cybersecurity strategies, including patch management, network segmentation, and continuous threat monitoring.
With Medusa ransomware continuing to evolve, businesses and critical infrastructure providers must bolster their defenses to counter the growing threat.
