CISA, FBI and MS-ISAC Alert on Medusa Ransomware

The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and MS-ISAC, has issued a #StopRansomware advisory warning about the growing threat of Medusa ransomware.  

Medusa has targeted over 300 victims across critical infrastructure sectors, including healthcare, law, education, insurance, technology, and manufacturing with ransom demands ranging from $100,000 to $15 million, the alert indicates.

Takeaway: Medusa and other ransomware gangs aren’t just running smash-and-grab attacks anymore—they’ve gotten a lot more strategic. They go after critical infrastructure—hospitals, schools, manufacturing—because they know these organizations can’t afford downtime.  

The playbook is familiar: find an unpatched vulnerability, launch a phishing attack, get a foothold, and then move quietly through the network, escalating access and stealing data before deploying ransomware.

This is why cybersecurity can’t just be about prevention anymore - resilience has to be a key part of the response equation. Organizations need to be ready to detect these intrusions early and respond fast—because once the ransomware payload hits, you're at the tail-end of the attack and the damage is already done.

As we detail in our quarterly Power Rankings: Ransomware Malicious Quartile report, Medusa first emerged around June 2021 and rapidly evolved into a significant threat.  

Medusa operates using a double-extortion model, threatening to leak stolen data if victims refuse to pay the ransom. The group has been known to use public platforms like a Telegram channel called "information support" to expose compromised data, increasing pressure on its targets. By February 2025, Medusa has impacted hundreds of victims across critical infrastructure sectors, including healthcare, education, and manufacturing.

To infiltrate networks, Medusa employs multiple attack vectors. Phishing campaigns with deceptive emails are used to steal credentials or deliver malicious payloads. The group also takes advantage of unpatched vulnerabilities, most notably a critical SQL injection vulnerability in Fortinet's FortiClient EMS software (CVE-2023-48788), which enables unauthorized code execution via specially crafted requests. Additionally, they use brute-force attacks to compromise Remote Desktop Protocol (RDP) credentials.

Once inside, Medusa deploys sophisticated techniques to expand its reach and inflict maximum damage. It executes base64 encrypted PowerShell commands to evade detection and utilizes tools like Mimikatz to extract credentials from memory, enabling further network compromise. The group also leverages legitimate remote access software such as AnyDesk and ConnectWise, along with tools like PsExec and RDP, to move laterally across networks.

Medusa's encryption process is designed to cause significant operational disruption. The ransomware can terminate over 200 Windows services and processes, including those related to security software, to facilitate encryption. It employs AES-256 encryption combined with RSA public key cryptography to securely lock files. To obstruct data restoration, Medusa deletes Volume Shadow Copies (VSS), disables startup recovery options, and removes local backups.

To defend against threats like Medusa, organizations must strengthen their security posture to withstand ransomware attacks without relying on ransom payments or backups alone. Eliminating the financial incentive to pay ransoms is key to disrupting the ransomware business model.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.