March 12, 2025 By Sergiu Gatlan
CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.
This was revealed in a joint advisory issued today in coordination with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
"As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing," CISA, the FBI, and MS-ISAC warned on Wednesday.
"FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents."
Medusa ransomware surfaced almost four years ago, in January 2021, but the gang's activity only picked up two years later, in 2023, when it launched the Medusa Blog leak site to pressure victims into paying ransoms using stolen data as leverage.
Since it emerged, the gang has claimed over 400 victims worldwide and gained media attention in March 2023 after claiming responsibility for an attack on the Minneapolis Public Schools (MPS) district and sharing a video of the stolen data.
The group also leaked files allegedly stolen from Toyota Financial Services, a subsidiary of Toyota Motor Corporation, on its dark extortion portal in November 2023 after the company refused to pay an $8 million ransom demand and notified customers of a data breach.
Medusa was first introduced as a closed ransomware variant, where a single group of threat actors handled all development and operations. Although Medusa has since evolved into a Ransomware-as-a-service (RaaS) operation and adopted an affiliate model, its developers continue to oversee essential operations, including ransom negotiations.
As the advisory explains, to defend against Medusa ransomware attacks, defenders are advised to take the following measures:
- Mitigate known security vulnerabilities to ensure operating systems, software, and firmware are patched within a reasonable timeframe.
- Segment networks to limit lateral movement between infected devices and other devices within the organization.
- Filter network traffic by blocking access from unknown or untrusted origins to remote services on internal systems.
