Medusa ransomware has already affected over 300 victims across critical infrastructure sectors since its first detection in June 2021, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warn.
The agencies released a joint advisory warning about Medusa actors and sharing details on how to protect against them.
Medusa is a ransomware-as-a-service, using common techniques like phishing campaigns and exploiting unpatched software vulnerabilities.
As of February 2025, its developers and affiliates “have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing,” CISA said.
The total number of victims is even higher. The ring has listed almost 400 organizations on its data leaks site since early 2023, and the true number is likely to be much higher than that, Symantec Threat Hunter Team reported a week ago.
Medusa employs a double, and sometimes even triple, extortion model. That means the hackers steal and encrypt victim data and threaten to publicly release the exfiltrated information if the ransom is not paid. Some victims reported they were contacted again and were asked to pay for a “true decryptor.”
Here's how Medusa ransomware operates.
Medusa will pay big sums for initial access
Medusa initially started as a closed ransomware variant, with the same threat actors controlling all development and other operations. Since then, the gang has progressed to using an affiliate model. However, important operations such as ransom negotiation are still centrally controlled by the developers.
The threat actor is active in cybercriminal forums and marketplaces recruiting initial access brokers to obtain initial access to potential victims. The ring offers hackers between $100 and $1 million and the opportunity to work exclusively for Medusa.
Medusa’s minions will conduct phishing campaigns as a primary method for stealing victim credentials but will also exploit known software vulnerabilities. They were previously observed abusing ScreenConnect and Fortinet EMS SQL injection flaws, among other vulnerabilities.
The threat actor mostly relies on legitimate software and tools already present on a target system – and uses the so-called “living off the land” technique to carry out malicious activities.
Inside a victim network, Medusa scans commonly used ports, uses command line tools for network and filesystem enumeration, and abuses the Windows Management Instrumentation component to query system information.
The threat actor obfuscates PowerShell payloads and encodes them with base64. Sometimes, the hackers kill or delete antivirus tools using vulnerable or signed drivers.
Medusa will pick the remote access software based on any similar tools already present in the victim's environment.
For data exfiltration, the hackers rely on the Rclone tool, a command-line program popular among ransomware gangs for syncing files with cloud storage services. Then they deploy an encryptor called gaze.exe, which encrypts files with a .medusa file extension.
The process gaze.exe terminates all services related to backups, security, databases, communication, file sharing, and websites, then deletes shadow copies and encrypts files with AES-256 before dropping the ransom note. The actors then manually turn off and encrypt virtual machines and delete their previously installed tools,” CISA said.
The ransom notes “READ_ME_MEDUSA!!!.txt” demand that victims contact Medusa within 48 hours via a Tor browser-based live chat or Tox, an end-to-end encrypted instant messaging platform.
Medusa actors will call directly by phone, or email the victims if they do not respond. On its dark web site Medusa posts ransom demands with direct hyperlinks to crypto wallets, and, at this stage, the gang concurrently advertises the data to interested buyers before the countdown timer ends.
Victims have the option to add a day to the countdown timer by paying $10,000.
“FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the “true decryptor” – potentially indicating a triple extortion scheme,” the advisory reads.
CISA and FBI listed recommended mitigations, which include patching for known vulnerabilities, network segmentation, implementing recovery plans, and many others.
Your email address will not be published. Required fields are markedmarked