Medusa Ransomware Gang Targets Over 300 Critical Infrastructure Organizations in Global Campaign
U.S. federal authorities—including the FBI, CISA, and MS-ISAC—have issued a joint cybersecurity advisory warning of a surge in attacks by the Medusa ransomware gang, which has compromised over 300 critical infrastructure organizations as of February 2025. The group, operating under a ransomware-as-a-service (RaaS) model, has rapidly escalated its operations since its emergence in 2021, becoming one of the most active threat actors in recent years.
Tactics and Targets
Medusa employs double extortion, encrypting victims’ systems while threatening to leak stolen data unless ransoms—ranging from $100,000 to over $40 million—are paid. In some cases, the gang has demanded additional payments for a "true decryptor," suggesting triple extortion tactics. Affiliates earn 70–80% of ransom payments, incentivizing widespread attacks.
The group has targeted sectors including healthcare, education, legal, insurance, technology, and manufacturing, with notable victims such as:
- Aurora City (Colorado)
- Heartland Health Center (Nebraska)
- Bell Ambulance (Wisconsin)
- Laurens School District 56 (South Carolina)
- CPI Books (UK)
Infection Methods and Tools
Medusa gains initial access through phishing campaigns and the exploitation of unpatched vulnerabilities, including:
- CVE-2024-1709 (ScreenConnect)
- CVE-2023-48788 (Fortinet EMS SQL injection)
Once inside a network, the gang uses remote access tools (AnyDesk, Atera, Splashtop) and Windows services (RDP, PsExec) for lateral movement. It deploys Rclone for data exfiltration and gaze.exe for encryption, while disabling security software, terminating backups, and deleting shadow copies to hinder recovery.
Encryption and Extortion
Medusa encrypts files using AES-256, appending a .medusa extension, and leaves a ransom note demanding contact within 48 hours via Tor, Tox, or encrypted messaging. Victims who fail to respond face public data leaks on the gang’s .onion site, where stolen data is also auctioned. The group offers a $10,000 "extension fee" to delay publication by one day.
Mitigation Efforts
Authorities recommend patching vulnerabilities, network segmentation, MFA enforcement, and offline backups to reduce risk. The advisory underscores the group’s persistence and sophistication, particularly against critical infrastructure, where disruption can have cascading effects.
Medusa’s rise to ninth in global ransomware activity (per NCC Group) and its 9% share of 2024 attacks (BlackFog) highlight its growing threat to organizations worldwide.
City of Aurora, IL cybersecurity rating report: https://www.rankiteo.com/company/city-of-aurora_2
"id": "CIT1765598574",
"linkid": "city-of-aurora_2",
"type": "Ransomware",
"date": "3/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Public Sector',
'location': 'Colorado, USA',
'name': 'Aurora City',
'type': 'Government'},
{'industry': 'Medical',
'location': 'Nebraska, USA',
'name': 'Heartland Health Center',
'type': 'Healthcare'},
{'industry': 'Medical',
'location': 'Wisconsin, USA',
'name': 'Bell Ambulance',
'type': 'Healthcare'},
{'industry': 'Technology',
'name': 'Customer Management Systems',
'type': 'Corporation'},
{'industry': 'Manufacturing',
'location': 'UK',
'name': 'CPI Books',
'type': 'Corporation'},
{'industry': 'Education',
'location': 'South Carolina, USA',
'name': 'Laurens School District 56',
'type': 'Education'}],
'attack_vector': ['Phishing', 'Exploitation of unpatched vulnerabilities'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Sensitive information',
'Personally identifiable '
'information']},
'date_detected': '2021',
'date_publicly_disclosed': '2025-02',
'description': 'U.S. federal authorities issued a joint cybersecurity '
'advisory about the Medusa ransomware gang compromising over '
'300 critical infrastructure organizations. The advisory '
'details Medusa’s tactics, techniques, and procedures (TTPs) '
'and indicators of compromise (IOCs), along with recommended '
'mitigations.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'identity_theft_risk': True,
'operational_impact': 'Widespread disruption of critical services',
'systems_affected': ['Critical infrastructure systems',
'Virtual machines',
'Backup services']},
'initial_access_broker': {'data_sold_on_dark_web': True,
'entry_point': ['Phishing campaigns',
'Exploitation of vulnerabilities'],
'high_value_targets': True},
'investigation_status': 'Ongoing',
'lessons_learned': 'Critical infrastructure remains a prime target for '
'ransomware gangs due to its essential role and potential '
'for widespread disruption. Proactive security measures, '
'including AI-driven automation and network segmentation, '
'are essential to mitigate such threats.',
'motivation': ['Financial gain', 'Data extortion'],
'post_incident_analysis': {'corrective_actions': ['Patching vulnerabilities',
'Implementing MFA',
'Network segmentation',
'Enhanced monitoring',
'Maintaining offline '
'backups'],
'root_causes': ['Exploitation of unpatched '
'vulnerabilities',
'Phishing attacks',
'Use of initial access brokers']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': ['$100,000 - $15 million',
'Exceeding $40 million in some cases'],
'ransomware_strain': 'Medusa'},
'recommendations': ['Patch operating system, software, and firmware '
'vulnerabilities promptly.',
'Implement network segmentation to limit lateral '
'movement.',
'Block connections from unknown IP addresses and regions.',
'Enable multi-factor authentication (MFA).',
'Enforce NIST standard passwords.',
'Maintain offline backups and encrypt data.',
'Audit accounts and monitor access attempts.',
'Review domain controllers and active directories for '
'unknown accounts.'],
'references': [{'source': 'FBI, CISA, MS-ISAC Joint Advisory'},
{'source': 'BlackFog'},
{'source': 'NCC Group'}],
'regulatory_compliance': {'regulatory_notifications': True},
'response': {'containment_measures': ['Network segmentation',
'Blocking connections from unknown IP '
'addresses'],
'enhanced_monitoring': True,
'law_enforcement_notified': True,
'network_segmentation': True,
'recovery_measures': ['Maintaining offline backups',
'Encrypting data'],
'remediation_measures': ['Patching vulnerabilities',
'Implementing MFA',
'Enforcing NIST password standards']},
'stakeholder_advisories': 'The FBI, CISA, and MS-ISAC have issued mitigations '
'to prevent Medusa ransomware attacks, emphasizing '
'the importance of proactive security measures for '
'critical infrastructure organizations.',
'threat_actor': 'Medusa Ransomware Gang',
'title': 'Medusa Ransomware Gang Compromises Over 300 Critical Infrastructure '
'Organizations',
'type': 'Ransomware',
'vulnerability_exploited': ['CVE-2024-1709 (ScreenConnect)',
'CVE-2023-48788 (Fortinet EMS SQL injection)']}