Joint Advisory Warns of Extensive Medusa Ransomware Operations

A joint advisory issued by CISA, the FBI, and MS-ISAC warns that the Medusa ransomware operation has compromised over 300 organizations across various critical infrastructure sectors in the United States, including medical, education, legal, insurance, technology, and manufacturing industries.

The advisory urges organizations to implement recommended mitigations to reduce the likelihood and impact of Medusa ransomware incidents, Bleeping Computer reports.

Originally a closed ransomware variant managed by a single group, Medusa evolved into a Ransomware-as-a-Service (RaaS) model, recruiting affiliates to expand its reach while developers continue to oversee essential operations, including ransom negotiations.  

The group recruits initial access brokers (IABs) through cybercriminal forums and marketplaces to gain initial access to potential victims, offering payments ranging from $100 to $1 million, with opportunities for exclusive collaboration.

Since its inception, Medusa has claimed over 400 victims worldwide. Researchers reported a 42% increase in Medusa ransomware attacks between 2023 and 2024, with activity continuing to escalate. Notably, the first two months of 2025 saw nearly double the number of Medusa attacks compared to the same period in 2024.

Takeaway: Ransomware operators like Medusa focus on gaining leverage to extort organizations, making critical infrastructure entities prime targets due to their heightened motivation to maintain uninterrupted services. They exploit security gaps, leveraging vulnerabilities to move laterally, escalate privileges, exfiltrate sensitive data, and ultimately deploy their payloads.  

According to the Power Rankings: Ransomware Malicious Quartile report, Medusa emerging in June 2021, and rapidly evolved into a significant threat. Employing a double-extortion model, it threatens to publicly release exfiltrated data if ransoms are not paid.  

The group has been observed using public platforms, such as a Telegram channel named "information support," to share compromised data, increasing pressure on victims. By February 2025, Medusa had impacted hundreds of victims across critical infrastructure sectors, including healthcare, education, and manufacturing.  

Medusa operators utilize various infiltration methods, such as phishing campaigns with deceptive emails to steal credentials or deliver malicious payloads. They also exploit unpatched vulnerabilities, notably a critical SQL injection vulnerability in Fortinet's FortiClient EMS software (CVE-2023-48788), allowing unauthorized code execution via specially crafted requests. Additionally, they employ brute-force techniques to compromise Remote Desktop Protocol (RDP) credentials.  

Once inside a network, Medusa employs sophisticated strategies to maximize impact. The group executes base64 encrypted commands via PowerShell to avoid detection and utilizes tools like Mimikatz to extract credentials from memory, facilitating further network compromise. They also leverage legitimate remote access software, including AnyDesk and ConnectWise, as well as tools like PsExec and RDP, to propagate across the network.  

Medusa's encryption process is designed to inflict maximum operational disruption. The ransomware can terminate over 200 Windows services and processes, including those related to security software, to facilitate encryption. It employs AES-256 encryption, combined with RSA public key cryptography, to securely encrypt files. To hinder data restoration efforts, Medusa implements measures such as deleting Volume Shadow Copies (VSS), disabling startup recovery options, and removing local backups.

To counter such threats, critical infrastructure organizations must bolster their defenses to withstand ransomware attacks without resorting to ransom payments or solely relying on backups. Eliminating the incentive to pay is crucial in disrupting the ransomware industry's financial model.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.