**Medusa Ransomware Surges, Impacting Over 300 U.S. Critical Infrastructure Organizations**
A joint advisory from CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) revealed that the Medusa ransomware operation has compromised over 300 organizations across critical U.S. infrastructure sectors as of February 2025. Targeted industries include medical, education, legal, insurance, technology, and manufacturing.
First detected in January 2021, Medusa initially operated as a closed ransomware variant before transitioning into a Ransomware-as-a-Service (RaaS) model in 2023. The group now recruits affiliates—including initial access brokers (IABs)—offering payments ranging from $100 to $1 million for exclusive partnerships. Medusa’s developers maintain control over core operations, including ransom negotiations.
To pressure victims, the group launched the Medusa Blog leak site in 2023, using stolen data as leverage. High-profile attacks include breaches of Minneapolis Public Schools (March 2023) and Toyota Financial Services (November 2023), where the gang leaked files after an $8 million ransom demand was refused.
Recent data from Symantec’s Threat Hunter Team indicates a 42% increase in Medusa attacks between 2023 and 2024, with nearly double the activity in early 2025 compared to the same period last year. The advisory also clarifies that Medusa is distinct from other similarly named threats, such as MedusaLocker and the Medusa botnet.
Defensive recommendations from the agencies include patching vulnerabilities, network segmentation, and blocking untrusted remote access to mitigate risks. The alert follows a separate CISA-FBI warning last month about Ghost ransomware targeting victims across 70 countries.
Minneapolis Public Schools cybersecurity rating report: https://www.rankiteo.com/company/minneapolis-public-schools
"id": "MIN1765304983",
"linkid": "minneapolis-public-schools",
"type": "Ransomware",
"date": "2/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Education',
'location': 'United States',
'name': 'Minneapolis Public Schools (MPS)',
'type': 'Educational Institution'},
{'customers_affected': True,
'industry': 'Automotive/Finance',
'location': 'Global',
'name': 'Toyota Financial Services',
'type': 'Financial Services'},
{'industry': ['Medical',
'Education',
'Legal',
'Insurance',
'Technology',
'Manufacturing'],
'location': 'United States'}],
'attack_vector': 'Initial Access Brokers (IABs), Exploiting Known '
'Vulnerabilities',
'customer_advisories': 'Toyota Financial Services notified customers of a '
'data breach following the ransomware attack.',
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Personally Identifiable '
'Information',
'Sensitive Corporate Data']},
'date_publicly_disclosed': '2025-02-01',
'description': 'CISA revealed that the Medusa ransomware operation has '
'impacted over 300 organizations in critical infrastructure '
'sectors in the United States as of February 2025. The joint '
'advisory was issued in coordination with the FBI and MS-ISAC, '
"warning about the ransomware's impact across various "
'industries including medical, education, legal, insurance, '
'technology, and manufacturing.',
'impact': {'brand_reputation_impact': True,
'data_compromised': True,
'identity_theft_risk': True,
'operational_impact': 'Disruption of services in affected '
'organizations',
'systems_affected': 'Critical infrastructure systems across '
'multiple sectors'},
'initial_access_broker': {'entry_point': 'Cybercriminal forums and '
'marketplaces'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Importance of patching known vulnerabilities, network '
'segmentation, and filtering network traffic to prevent '
'lateral movement and ransomware attacks.',
'motivation': 'Financial Gain',
'post_incident_analysis': {'corrective_actions': 'Patch management, network '
'segmentation, traffic '
'filtering, enhanced '
'monitoring',
'root_causes': 'Exploitation of unpatched '
'vulnerabilities, initial access '
'via brokers, lack of network '
'segmentation'},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': '$8 million (Toyota Financial Services '
'case)',
'ransomware_strain': 'Medusa'},
'recommendations': ['Mitigate known security vulnerabilities by patching '
'operating systems, software, and firmware in a timely '
'manner.',
'Segment networks to limit lateral movement between '
'infected and other devices.',
'Filter network traffic by blocking access from unknown '
'or untrusted origins to remote services on internal '
'systems.'],
'references': [{'date_accessed': '2025-02-01',
'source': 'CISA Joint Advisory with FBI and MS-ISAC'},
{'date_accessed': '2025-02-01',
'source': 'Symantec Threat Hunter Team'}],
'regulatory_compliance': {'regulatory_notifications': True},
'response': {'containment_measures': 'Network segmentation, traffic filtering',
'law_enforcement_notified': True,
'network_segmentation': True,
'remediation_measures': 'Patching known vulnerabilities'},
'stakeholder_advisories': 'CISA, FBI, and MS-ISAC encourage organizations to '
'implement recommended mitigations to reduce the '
'likelihood and impact of Medusa ransomware '
'incidents.',
'threat_actor': 'Medusa Ransomware Group',
'title': 'Medusa Ransomware Impact on Critical Infrastructure Sectors',
'type': 'Ransomware',
'vulnerability_exploited': 'Unpatched software, firmware, and operating '
'systems'}