Medusa Ransomware hit over 300 critical infrastructure organs

The CISA says that the Medusa Ransomware operation affected over 300 organizations in the critical infrastructure sectors from the United States until last month.

This has been revealed in a Common counseling issued today in coordination with the Federal Investigation Bureau (FBI) and with the Multi-Sate (MS-BISAC) information analysis.

“In February 2025, developers and affiliates Medusa affected over 300 victims from a variety of critical infrastructure sectors, with affected industries, including medical, education, legal, insurance and production,” CISA, FBI and MS-NISAC Wednesday.

“FBI, CISA and MS-BISAC encourage organizations to implement the recommendations in the attenuation section of this opinion to reduce the likelihood and impact of ransomware medusa incidents.”

Medusa Ransomware appeared almost four years ago in January 2021 but the activity of the band was only raised Two years laterIn 2023, when he launched the Medusa blog leakage to press the victims to pay the redemption using stolen data as a lever.

Ever since it appeared, the gang has claimed over 400 victims from all over the world and has obtained the Mass -Media in March 2023, after claiming the responsibility for a Attack on District Minneapolis Public Schools (MPS) and sharing a video with stolen data.

Also, the group drained files would have stolen from Toyota Financial Services, a subsidiary of Toyota Motor Corporation, on its dark extortion portal in November 2023, after the company refused to pay a $ 8 million redemption and Customers notified of a data violation.

Medusa was first introduced as a closed ransomware variant, where a single group of threatening actors managed all development and operations. Although Medusa has evolved in a ransomware-as-service (RAAS) operation and has adopted an affiliation model, its developers continue to supervise the essential operations, including redemption negotiations.

As the opinion explains, to defend against the Medusa ransomware attacks, the defenders are advised to take the following measures:

Attress the known security vulnerabilities to ensure operating systems, software and firmware are placed in a reasonable time.

Segment networks to limit the lateral movement between infected devices and other devices within the organization.

Filter network traffic by blocking access from unknown or reliable origins to distance services on internal systems.

It is also important to note that several families of malware and cyber operations are called Medusa, including a Botnet with headquarters in Mirai with ransomware capabilities and one Android Malware-As-Service (Maas) the operation discovered in 2020 (also known as Tanglebot).

Due to this frequently used name, there were also some confusing reports on the Medusa ransomware, many believe it is the same as the well -known scale Operation of medusalocker ransomwareAlthough they are completely different operations.

Last month, CISA and FBI issued another common alert Warning that victims from several sectors in the industry in over 70 countries, including critical infrastructure, have been violated in ghost ransomware attacks.

Based on an analysis of malicious actions of 14 m, discover the first 10 ATT techniques and CK miter behind 93% of the attacks and how to defend themselves.