Federal cybersecurity officers are elevating purple flags over a surge in assaults by the Medusa ransomware group. First detected in June 2021, the group has gained traction lately through the use of fundamental however efficient strategies — like phishing emails and exploiting outdated software program — to interrupt into programs and maintain information hostage.

In a joint advisory launched final week, the FBI, Cybersecurity and Infrastructure Safety Company (CISA), and the Multi-State Data Sharing and Evaluation Heart (MS-ISAC) urged companies and establishments to take speedy steps to guard their programs. The warning is a part of the federal government’s ongoing #StopRansomware initiative.

A rising ransomware-as-a-service enterprise

Initially a closed operation, Medusa has now adopted a ransomware-as-a-service (RaaS) mannequin. This implies the builders present the ransomware software program to companions, generally known as “Medusa actors,” who perform the assaults. These associates are sometimes recruited from on-line prison boards and are generally paid bonuses to work solely for Medusa.

“Potential funds between $100 USD and $1 million USD are supplied to those associates with the chance to work solely for Medusa,” the advisory stated.

Medusa actors usually achieve entry to programs by way of phishing emails or by exploiting recognized vulnerabilities, corresponding to CVE-2024-1709, which impacts the ScreenConnect distant entry instrument, and CVE-2023-48788, a flaw in Fortinet merchandise. As soon as inside, they encrypt recordsdata and demand ransoms. The group’s ransom notes give victims 48 hours to reply by way of a reside chat or encrypted messaging platform.

If a sufferer doesn’t reply, Medusa actors might escalate their extortion efforts, a tactic noticed in different ransomware teams.

What makes Medusa significantly menacing is its public-facing data-leak web site, which shows victims alongside countdown timers. As soon as the timer runs out, stolen information is both launched or bought to the best bidder. In some instances, victims are given the choice to purchase additional time — a single day’s delay might price as a lot as $10,000 in cryptocurrency.

“As of February 2025, Medusa builders and associates have impacted over 300 victims from a wide range of crucial infrastructure sectors with affected industries together with medical, schooling, authorized, insurance coverage, expertise, and manufacturing,” the advisory notes.

Medusa’s attain is international; previous victims embody Minneapolis Public Faculties, the place an assault in 2023 uncovered delicate info from over 100,000 college students.

Learn how to defend your group from Medusa ransomware

The advisory urges organizations to take a number of key steps to guard themselves from Medusa. These embody:

• Making certain that every one working programs, software program, and firmware are recurrently up to date and patched.
• Implementing multi-factor authentication throughout all providers.
• Utilizing sturdy, distinctive passwords.

Moreover, CISA advises companies to phase their networks to restrict the unfold of infections and filter community site visitors to dam unauthorized entry makes an attempt.

CISA is urging IT groups to evaluate their #StopRansomware: Medusa Ransomware advisory for detailed detection strategies and menace indicators.