The FBI and CISA have issued a joint warning about the Medusa ransomware.

“As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing,” the agencies said.

2021 to Present

A Ransomware-as-a-Service variant has been used to conduct ransomware attacks from 2021 to present, originally operating as a closed ransomware variant. This means all development and associated operations were controlled by the same group of cyber threat actors.

“While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers,” the warning read.

“Both Medusa developers and affiliates—referred to as ‘Medusa actors’ in this advisory—employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.”

Phishing and Exploits

Typically, Medusa is used as an attack via phishing attacks, and by exploiting unpatched software vulnerabilities: typically using the ScreenConnect vulnerability CVE-2024-1709, and the Fortinet EMS SQL injection vulnerability CVE-2023-48788.

Stefan Hostetler, lead threat intelligence researcher at Arctic Wolf said Medusa Ransomware leak site postings have increased to the highest point in their history as of February 2025, with 34 postings for that month.

Also, Dr. Darren Williams, CEO and Founder, BlackFog, said Medusa accounted for five percent of all ransomware attacks in 2024, with demands often exceeding $40M, “The Medusa ransomware gang took third place in terms of the most dominated ransomware variant of 2024,” he said. 

“Once inside a system, Medusa spreads laterally using living-off-the-land techniques and highlights the importance of anti-data exfiltration in a comprehensive security plan.”

Dan Lattimer, AVP EMEA West at Semperis, recommended organisations adopt an ‘assumed breach’ mindset, because companies operating under the assumption that their systems have been or will be compromised shifts the focus from preventing breaches to detecting, responding and recovering quickly. 

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.