The U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has sounded the alarm on the rapidly expanding Medusa ransomware threat. According to a joint advisory released this week, Medusa ransomware has already compromised over 300 critical infrastructure organizations across multiple industries, including healthcare, education, technology, and manufacturing, as of February 2025.
“As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing,” the advisory stated. The agencies urged organizations to implement mitigations to reduce the likelihood and impact of Medusa ransomware attacks.
A Growing Cyber Threat
Medusa first appeared in January 2021 but remained relatively obscure until 2023, when the group launched its leak site, the Medusa Blog, to pressure victims into ransom payments. Since then, the ransomware has evolved into a Ransomware-as-a-Service (RaaS) operation, recruiting affiliates and scaling its attacks worldwide.
The advisory underscores key defensive measures organizations should take to guard against Medusa ransomware, including timely patching of vulnerabilities, network segmentation to limit lateral movement, and traffic filtering to block unauthorized access to internal systems.
Medusa’s Modus Operandi
Unlike other ransomware variants that rely solely on encryption to lock victims out of their systems, Medusa employs a double-extortion model. The group exfiltrates sensitive data before deploying its payload, leveraging the threat of public exposure to pressure victims into paying ransoms. Cybersecurity experts warn that Medusa operators aggressively target high-value organizations, exploiting unpatched vulnerabilities and using phishing campaigns to gain access.
“Ransomware operators like Medusa focus on gaining leverage to extort organizations, making critical infrastructure entities prime targets due to their heightened motivation to maintain uninterrupted services,” said Jon Miller, CEO & Co-founder of cybersecurity firm Halcyon. “They exploit security gaps, leveraging vulnerabilities to move laterally, escalate privileges, exfiltrate sensitive data, and ultimately deploy their payloads.”
One of Medusa’s most concerning tactics is its ability to disable security tools before encrypting files. The ransomware terminates over 200 Windows services and processes, including antivirus software, to ensure maximum disruption. Medusa employs AES-256 encryption alongside RSA public key cryptography, making data recovery nearly impossible without the decryption key. The ransomware also deletes Volume Shadow Copies (VSS) and removes local backups to prevent easy restoration.
Ransomware on the Rise
The advisory follows a surge in Medusa-related incidents. Security firm Symantec reported a 42% increase in Medusa attacks between 2023 and 2024, with incidents doubling in the first two months of 2025 compared to the same period the previous year. The ransomware gang has already claimed responsibility for high-profile attacks, including the Minneapolis Public Schools district breach in 2023 and an attack on Toyota Financial Services in late 2023, where they leaked sensitive data after the company refused to meet an $8 million ransom demand.
Medusa’s operations are further complicated by the existence of other cybercrime groups using the same name. This has led to confusion between Medusa ransomware and unrelated threats such as MedusaLocker and an Android-based malware-as-a-service (MaaS) operation.
Mitigation and Defensive Strategies
Cybersecurity experts stress the importance of proactive defense measures to combat Medusa and other ransomware threats. Organizations are advised to:
Regularly patch and update software to mitigate known vulnerabilities.
Segment networks to prevent lateral movement within compromised systems.
Implement strict access controls, including multi-factor authentication (MFA) for remote logins.
Train employees to recognize and report phishing attempts.
Monitor and filter network traffic to prevent unauthorized access.
Jon Miller emphasized the need to remove financial incentives for ransomware operators, stating: “To counter such threats, critical infrastructure organizations must bolster their defenses to withstand ransomware attacks without resorting to ransom payments or solely relying on backups. Eliminating the incentive to pay is crucial in disrupting the ransomware industry’s financial model.”
As Medusa’s reach expands, organizations must remain vigilant and implement robust cybersecurity practices to defend against the next wave of attacks. With ransomware operators continuously evolving their tactics, staying ahead of emerging threats is more critical than ever.