The Medusa ransomware group has inflicted damage on more than 300 organizations across critical infrastructure sectors, according to a joint advisory issued by CISA, the FBI, and MS-ISAC. As of February 2025, the group has targeted companies in healthcare, education, law, insurance, technology, and manufacturing.
Medusa first emerged in January 2021, but it wasn’t until 2023 that the group became widely recognized, following the launch of its “Medusa Blog”—a leak site where stolen data is published if victims refuse to pay ransom. The group made headlines in March 2023 after breaching Minneapolis Public Schools and releasing a video showcasing the stolen information. In November 2023, Medusa published files allegedly stolen from Toyota Financial Services, following the company’s refusal to pay an $8 million ransom.
Initially, Medusa operated as a closed-knit group, controlling all stages of its attacks. However, over time, it evolved into a Ransomware-as-a-Service (RaaS) model, enabling other cybercriminals to participate in attacks. The group’s core developers remain key figures, handling ransom negotiations and overseeing internal operations. To gain initial access, Medusa recruits Initial Access Brokers (IABs) from underground forums, offering them payments ranging from $100 to $1 million.
Once inside a compromised system, the attackers disable security software and deploy an executable payload, which terminates critical services, deletes shadow copies, and encrypts data using AES-256 encryption. The affected files are appended with the “.medusa” extension, and victims receive a ransom note detailing payment demands.
Medusa employs a double extortion strategy—encrypting data while simultaneously threatening to leak it if the ransom is not paid. Investigations have also revealed that Medusa may engage in triple extortion, demanding additional payments under the pretext of providing the “genuine” decryption tool.
A significant issue remains the confusion surrounding the name “Medusa.” Besides the Medusa ransomware gang, other cyber threats bear the same name, including a Mirai-based botnet and an Android malware variant known as TangleBot. This often leads to misidentification of attacks and erroneous associations with another active ransomware group, MedusaLocker, despite having no connection.
Cybersecurity experts recommend implementing:
- Multi-factor authentication (MFA) to protect against unauthorized access
- Regular software updates to patch vulnerabilities
- Continuous network monitoring to detect suspicious activity
- Robust data backup strategies to ensure recovery in case of an attack
Victims are strongly advised not to pay the ransom, as doing so does not guarantee data recovery and only encourages further criminal activity.
