Medusa extortion groups have caused extensive damage to over 300 organizations across critical infrastructure sectors, according to a joint warning issued by cisa, FBI, and MS-Izac. The attacks, which began in February 2025, targeted companies in healthcare, education, judiciary, insurance, technology, and manufacturing.
Initially emerging in January 2021, Medusa became more prominent in 2023 with the creation of its Medusa Blog where stolen data is uploaded if victims fail to pay ransom. In a notable incident in March 2023, Medusa targeted state schools in Minneapolis, followed by a release of stolen information. Later in November 2023, files allegedly stolen from Toyota Financial Services were published online after the company refused to pay a ransom of $8 million.
Operating originally as a closed group overseeing all attack stages, Medusa later transitioned to a Ransomware-as-a-Service (RAAS) model to allow other cybercriminals to join in attacks. The group’s developers retain key roles in negotiations for ransom payments and internal operations. Access brokers are hired from shadow forums for initial hacking, with payments ranging from $100 to $1 million.
Upon infiltration, hackers disable protective software, run an executable file to halt critical services, delete shadow copies, and encrypt data using AES-256 encryption, which receives the “.Medusa” extension. Victims are left with ransom demands in a note.
Utilizing a double extortion scheme, Medusa not only encrypts data but also threatens to publish it unless a ransom is paid. Investigations have revealed the group’s potential use of triple extortion, demanding additional payments under the guise of providing a “real” decryption key.
Confusion persists due to other cyber threats sharing the Medusa name, such as a Botnet based on Mirai and an Android variant named Tanglebot. This often leads to misidentifications and confusion with another distinct group, medusalocker, despite lacking any connection.
To enhance protection, experts recommend employing multi-factor authentication, regular updates, monitoring network activity, and maintaining backups. In the event of an attack, paying the ransom is discouraged as it does not guarantee data recovery and could fuel further criminal activities.