Federal authorities, including the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have issued a high-priority advisory warning about the escalating threat posed by the Medusa ransomware group.
The cybercriminal organization has ramped up its attacks, increasingly targeting users of major email service providers like Gmail and Outlook. Medusa’s reach extends across multiple industries, with healthcare, education, legal services, insurance, technology, and manufacturing among the hardest hit.
The surge in activity has prompted urgent calls for heightened cybersecurity measures to defend against the growing ransomware menace.
Surge in Medusa Ransomware Attacks
The ransomware advisory, released in early March 2025, reports a surge in Medusa ransomware attacks. According to Cyble, a cybersecurity threat intelligence firm, the group has seen a 45% increase in its operations in 2025 compared to the previous year.
By early March, 60 new victims had already been reported, suggesting that Medusa is on track to surpass 300 incidents in 2025, a stark increase from 211 in 2024. February, in particular, saw a dramatic spike, with 33 victims reported in just one month, making it the highest month for ransomware activity across all variants.
Identified in June 2021, Medusa ransomware was initially a closed system operated by a single group of cybercriminals. However, it has since evolved into a Ransomware-as-a-Service (RaaS) model. In this model, the core developers retain control over ransom negotiations while recruiting affiliates to execute the attacks. These affiliates are often cybercriminals hired through online forums and marketplaces, with payments ranging from $100 to $1 million for successful attacks.
The group has primarily targeted high-profile entities in various sectors, often employing a double extortion model. This involves first encrypting the victim’s data and demanding payment for decryption. If the ransom is not paid, the group threatens to release stolen, sensitive data publicly. This technique adds intense pressure on victims to comply with ransom demands.
Technical Details of Medusa Ransomware
Medusa’s operation hinges on affiliates using multiple methods to gain unauthorized access to their targets. Among the most common tactics are phishing campaigns and exploiting unpatched software vulnerabilities. Phishing attacks are the primary method for stealing credentials, allowing the cybercriminals to infiltrate networks via deceptive emails or websites that trick users into revealing their login details.
Medusa affiliates are also known to exploit vulnerabilities in popular software. Once access is achieved, Medusa actors deploy network enumeration tools like Advanced IP Scanner and SoftPerfect Network Scanner to identify potential targets. The group then uses legitimate Windows tools like PowerShell and the Windows Command Prompt to conduct further reconnaissance, mapping out systems and identifying files of interest.
Evading Detection
One of the hallmarks of Medusa ransomware is its sophisticated defense evasion techniques. The group makes use of Living Off the Land (LOTL) tactics, which involve exploiting legitimate system tools to carry out their attacks, making detection more challenging. For instance, they have been observed using the legitimate Certutil tool to hide their actions during file ingress, reducing the chances of being detected by endpoint detection systems.
In addition, Medusa actors employ obfuscated PowerShell scripts, encoding commands in base64 to obscure their activities. They also split strings into smaller parts to prevent detection by traditional cybersecurity systems. Furthermore, they manipulate signed drivers to disable endpoint detection and response (EDR) tools, further evading detection and maintaining their foothold within the victim network.
Lateral Movement and Data Exfiltration
Medusa actors are adept at moving laterally within a compromised network. They use tools like AnyDesk, ConnectWise, and Splashtop, in conjunction with Remote Desktop Protocol (RDP) and PsExec, to navigate the system and maintain control. They also use Mimikatz to extract credentials from the Local Security Authority Subsystem Service (LSASS) memory, enabling further movement across the network.
Once lateral movement is achieved, Medusa ransomware employs the Rclone tool to exfiltrate stolen data to the group’s Command and Control (C2) servers. To prevent recovery efforts, the ransomware encrypts files using AES-256 encryption and deletes backup systems and shadow copies before starting the encryption process. The affected files are given the .medusa extension, indicating they have been compromised.
Double Extortion and the Ransom Demand
Medusa’s double extortion strategy includes not only encrypting data but also threatening to release sensitive, stolen information publicly unless the ransom is paid. Victims are contacted through encrypted messaging platforms like Tor and Tox, and a ransom note is dropped on the infected systems, outlining the steps for payment.
The group has also been known to run a .onion data leak site, where they publish the names of victims along with countdown timers, signaling when the stolen data will be released.
In some cases, even after victims have paid the ransom, they are contacted again by other Medusa affiliates demanding additional payments, suggesting the possibility of a triple extortion scheme. This makes it even more difficult for victims to recover from the attacks.
Conclusion
With the FBI and CISA identifying critical Indicators of Compromise (IoCs) linked to Medusa ransomware—including ransom notes, remote access scripts, and reverse shells—organizations must take proactive steps to bolster their cybersecurity defenses. Implementing regular software patches, enforcing strong authentication measures, maintaining secure backups, and deploying endpoint detection tools can significantly reduce the risk of falling victim to such attacks.
As ransomware groups like Medusa evolve their tactics, real-time threat intelligence becomes essential. Cyble’s AI-driven cybersecurity platforms offer advanced monitoring and detection capabilities, enabling organizations to stay ahead of emerging threats.
By staying informed, leveraging federal cybersecurity resources, and adopting a proactive security posture, businesses and individuals can better safeguard their data against the relentless threat of ransomware.
