Notorious ransomware gang Medusa posted ransom demands of $1.2 million, extorting a multinational mass media, telecommunications, and entertainment conglomerate. There’s just one problem: the alleged victim doesn’t recognize the data.

The Medusa ransomware group claims it exfiltrated 834.4 GB of data from a major cable company and demands a $1.2 million ransom to delete it. However, the data likely belongs to another unrelated company.
The provided screenshots and file tree structure hint that the data breach, if true, might be highly sensitive for the victim. It spans multiple business domains, including HR, financial documents, customer and partner data, internal IT/security, and other data.
No company officially confirmed the breach.

Medusa Ransomware posted its demands on Friday, September 26th, claiming a breach of Comcast, leaving two weeks to respond.

It turns out there was no such breach – the company doesn’t recognize the data, and it likely belongs to a completely unrelated company.

Dominic Alvieri, a cybersecurity analyst, says that the allegedly stolen data likely belongs to an insurance company.

“Medusa breached California Casualty Insurance – calcas[.]com, not comcast[.]com,” the expert posted on X.

Medusa Team did NOT breach Comcast contrary to reports issued last night.

Medusa breached California Casualty Insurance - calcas[.]com, not comcast[.]com @comcast pic.twitter.com/QzpI9e8R7M
undefined Dominic Alvieri (@AlvieriD) September 27, 2025

According to the post on the victim site on the dark web, the hackers exfiltrated 834.4 GB of data. They posted 33 screenshots of the allegedly stolen data, mostly various tables and other internal financial documents.

Failures in ransomware gangs are well docummented

Cybernews previously reported why opportunistic hackers shouldn’t be trusted. The leak of internal documents belonging to LockBit, once the largest ransomware gang, reveals skill gaps, a lack of consistency, and even failures to restore data after the ransoms were paid.

Currently, Medusa is one of the largest financially motivated threat actor groups with a track record of high-profile breaches.

Medusa’s destructive activities, which affected over 300 victims across the critical infrastructure sectors, prompted the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) to release a joint advisory detailing the threat actor’s tactics.

However, it also seems that it doesn’t have complete control over its affiliates.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

Some victims, who opted to pay the ransom, reported being contacted again and asked to pay for a “true decryptor.”

“FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the “true decryptor” – potentially indicating a triple extortion scheme,” the advisory reads.

Internal conflicts, exaggerated claims, and huge ransom demands are also common in the criminal industry when seeking media attention. It's unclear why Medusa would post false claims that affect its credibility, but miscommunication between affiliates and the operator is likely. Cybernews couldn't verify if Medusa removed the claims from its dark web data leak site, as it was unavailable at the time of writing.

What’s in the alleged leak?

Medusa exposed the file tree view of the stolen directories. The files are organized into five folders, which span multiple business domains.

In one of the exposed directories, most folders appear to relate to HR, personnel records, employment, compliance, training, leadership, and other internal programs. Another directory structure contains names that suggest actuarial and statistical modeling files. Additional data includes security reports and logs.

Some folders suggest sales, customer-facing functions, third-party related documents, and other documents. However, there are thousands of other files and folders.

“The file tree list reveals that attackers have exfiltrated not just regular files but also backups of multiple production databases, human resources data, customer and billing data, insurance operations, and internal IT and security data,” said Mantas Sabeckis, Information Security Researcher at Cybernews, who reviewed the post on the dark web.

“The size of the data leak indicates that it could be a serious breach, strongly suggesting the stolen files include a wide variety of data types far beyond the initially revealed documents.”

He also noted that the data in these documents dates as early as 2020 up to 2025, and the hacks might’ve breached the victim’s core business system and exfiltrated sensitive files.

“These include financial documents with valuable information about their company and their clients.”

If the data actually belongs to any victim, it might be highly sensitive as it exposes core business areas and may include files containing personally identifiable information, business secrets, and, potentially, credentials.

Updated on October 3th [08:00 a.m. GMT] with additional information.

What happened?

The Medusa ransomware group claims to have exfiltrated 834.4 GB of data from a major company and is demanding a $1.2 million ransom to delete it. However, there is no official confirmation, and the alleged victim doesn't recognize the data.

What kind of data might be stolen?

The stolen data likely belongs to another company. It appears to be highly sensitive, potentially including HR, partner data, invoices, and other financial documents, internal IT/security information, and other data, some of which dates back to 2020.

What is Medusa ransomware?

Medusa is an aggressive ransomware group that has compromised over 300 organizations between 2021 and 2024 and has recently become one of the most active strains. This threat actor offers ransomware tools to affiliates as a service.
The number of reported incidents linked to the gang more than doubled in the first quarter of 2025. The group avoids targeting Russia and the Commonwealth of Independent States. Other evidence also suggests that Medusa operates from Russia. The group uses a double extortion model, encrypting data and threatening to publish it if the ransom isn’t paid. Some victims reported receiving additional demands even after the ransom was paid.

How does Medusa ransomware typically operate?

Medusa often gains initial access through social engineering, such as phishing emails, exploiting vulnerabilities, or purchasing stolen credentials. They utilize legitimate tools, like Advanced IP Scanner and SoftPerfect Network Scanner, for initial user, system, and network enumeration, or PowerShell for running various commands and deploying the encryptor. CISA released an advisory detailing the group’s tactics.

Unlock more exclusive Cybernews content on YouTube.