On March 12, 2025, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory about the Medusa ransomware threat.  Medusa operates as ransomware-as-a-service (RaaS), meaning it is available for use by various cybercriminals who pay for access to the ransomware. This model allows even less technically skilled attackers to launch ransomware attacks.

Medusa, active since 2021, uses a double extortion model, where victims are required to pay to decrypt their files and prevent the release of their data.  If victims do not respond promptly to the ransom note, Medusa actors will contact them directly by phone or email.  Medusa operates a .onion data leak site, where it lists victims alongside countdowns to the release of their information. Ransom demands are posted on the site, with direct links to Medusa-affiliated cryptocurrency wallets. During this time, Medusa also advertises the sale of the data to interested parties before the countdown ends.

Medusa actors use advanced tactics and evasive techniques to compromise systems. These include phishing campaigns and exploiting unpatched software vulnerabilities to gain access to victims’ networks.

As of February 2025, Medusa ransomware has affected over 300 victims in critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing.

FBI, CISA, and MS-ISAC recommend that organizations implement the mitigations below to improve their cybersecurity posture: 

• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud);  
• Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring frequently recurring password changes, as these can weaken security;
• Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems;
• Keep all operating systems, software, and firmware up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats. Prioritize patching known exploited vulnerabilities in internet-facing systems;
• Segment networks to prevent the spread of ransomware. Network segmentation can help prevent the spread of ransomware by controlling traffic flows between—and access to—various subnetworks and by restricting adversary lateral movement;
• Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network. Endpoint detection and response (EDR) tools are particularly useful for detecting lateral connections as they have insight into common and uncommon network connections for each host;
• Require VPNs or Jump Hosts for remote access;
• Monitor for unauthorized scanning and access attempts;
• Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. This prevents threat actors from directly connecting to remote access services that they have established for persistence
• Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege;
• Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts;  
• Disable command-line and scripting activities and permissions. Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally;  
• Disable unused ports;
• Maintain offline backups of data, and regularly maintain backup and restoration. By instituting this practice, the organization helps ensure they will not be severely interrupted and/or only have irretrievable data; and
• Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.

You can read the entire Medusa Ransomware advisory here:
#StopRansomware: Medusa Ransomware | CISA