Medusa Ransomware Attacks Escalate, Targeting Hundreds of Organizations Nationwide
Federal authorities, including the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), have issued a warning about the growing threat of Medusa ransomware, a sophisticated cyberattack campaign that has compromised over 400 victims across sectors including healthcare, education, legal, insurance, technology, and manufacturing.
The attacks, active since 2021, follow a double-extortion model: threat actors encrypt victims’ systems, exfiltrate sensitive data, and publicly leak samples to pressure targets into paying ransoms. Victims receive a 48-hour ultimatum via a ransom note, often followed by direct contact from attackers via phone or email. Demands range from $100,000 to $15 million, with an additional $10,000 cryptocurrency fee to extend the countdown timer. In some cases, attackers have employed triple extortion, demanding a second payment after claiming the initial ransom was stolen by a rogue negotiator.
The Medusa operation has evolved into an affiliate-based model, where independent cybercriminals deploy the ransomware while core developers retain control over negotiations. Attackers gain initial access by purchasing stolen credentials from dark web marketplaces or through phishing schemes, then exploit vulnerabilities in unpatched systems. Once inside, they encrypt data and post ransom demands on a dedicated leak site, providing direct links to cryptocurrency wallets.
Connecticut has seen a sharp rise in ransomware incidents, with 861 reported in 2024 up from 644 in 2023 and 562 in 2022. Since August 2021, the state has logged 2,278 attacks, including high-profile breaches at Prospect Medical Holdings (2023) and Subway (2024). While federal investigators have not named specific suspects, a group called Spearwing has claimed responsibility for some attacks, while Inc Ransom was linked to the Subway breach.
Authorities emphasize that no sector is immune, though larger organizations including municipalities, corporations, and critical infrastructure remain primary targets. The FBI and CISA recommend offline backups, multifactor authentication, and regular software updates as key defenses, though they note that even prepared entities can fall victim to evolving tactics.
The Medusa campaign underscores the expanding reach of ransomware-as-a-service (RaaS), where sophisticated tools are leased to less-skilled criminals, amplifying the scale and frequency of attacks. With no signs of slowing, the threat continues to disrupt operations, extract millions in ransoms, and expose sensitive data across industries.
Subway TPRM report: https://www.rankiteo.com/company/subway
Prospect Medical Holdings TPRM report: https://www.rankiteo.com/company/prospect-medical-systems
"id": "subpro1768802374",
"linkid": "subway, prospect-medical-systems",
"type": "Ransomware",
"date": "8/2021",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Healthcare',
'location': 'Connecticut, USA',
'name': 'Prospect Medical Holdings',
'type': 'Healthcare'},
{'industry': 'Food Services',
'location': 'Connecticut, USA',
'name': 'Subway',
'type': 'Corporation'},
{'industry': ['Healthcare',
'Education',
'Legal',
'Insurance',
'Technology',
'Manufacturing'],
'location': 'Nationwide (USA)',
'type': 'Municipalities, Corporations, Critical '
'Infrastructure'}],
'attack_vector': ['Stolen credentials (dark web marketplaces)',
'Phishing schemes',
'Exploitation of unpatched vulnerabilities'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (personally identifiable '
'information, corporate data)',
'type_of_data_compromised': 'Sensitive data'},
'date_detected': '2021',
'description': 'Federal authorities have issued a warning about the growing '
'threat of Medusa ransomware, a sophisticated cyberattack '
'campaign that has compromised over 400 victims across sectors '
'including healthcare, education, legal, insurance, '
'technology, and manufacturing. The attacks follow a '
'double-extortion model, encrypting systems, exfiltrating '
'data, and publicly leaking samples to pressure victims into '
'paying ransoms.',
'impact': {'data_compromised': 'Sensitive data exfiltrated and publicly '
'leaked',
'financial_loss': 'Ransom demands ranging from $100,000 to $15 '
'million',
'identity_theft_risk': 'High (due to data exfiltration)',
'operational_impact': 'Disrupted operations across affected '
'organizations',
'payment_information_risk': 'High (if payment data was '
'compromised)',
'systems_affected': 'Encrypted systems across multiple sectors'},
'initial_access_broker': {'entry_point': ['Stolen credentials (dark web '
'marketplaces)',
'Phishing schemes']},
'investigation_status': 'Ongoing',
'lessons_learned': 'The Medusa campaign underscores the expanding reach of '
'ransomware-as-a-service (RaaS), where sophisticated tools '
'are leased to less-skilled criminals, amplifying the '
'scale and frequency of attacks.',
'motivation': ['Financial gain', 'Data extortion'],
'post_incident_analysis': {'corrective_actions': ['Offline backups',
'Multifactor authentication',
'Regular software updates'],
'root_causes': ['Exploitation of unpatched '
'vulnerabilities',
'Use of stolen credentials',
'Phishing attacks']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': '$100,000 to $15 million',
'ransomware_strain': 'Medusa'},
'recommendations': ['Offline backups',
'Multifactor authentication',
'Regular software updates'],
'references': [{'source': 'FBI, CISA, MS-ISAC'}],
'response': {'law_enforcement_notified': 'FBI, CISA, MS-ISAC'},
'stakeholder_advisories': 'Federal authorities recommend offline backups, '
'multifactor authentication, and regular software '
'updates as key defenses.',
'threat_actor': ['Medusa ransomware group', 'Spearwing', 'Inc Ransom'],
'title': 'Medusa Ransomware Attacks Escalate, Targeting Hundreds of '
'Organizations Nationwide',
'type': 'Ransomware',
'vulnerability_exploited': 'Unpatched systems'}