FBI warns Gmail, Outlook, and VPN users as Medusa ransomware attacks escalate

The FBI has issued an urgent warning for users of Gmail, Outlook, and VPN services to strengthen their security measures immediately, as the Medusa ransomware gang intensifies its cyberattacks. The alert highlights a rising threat to both individuals and organizations, with hackers increasingly targeting personal and enterprise-level email services and remote access networks.

Medusa, a ransomware-as-a-service (RaaS) provider, has compromised more than 300 critical infrastructure organizations since mid-2021. Using phishing schemes, unpatched software vulnerabilities, and social engineering tactics, the group gains unauthorized access to systems, encrypts victims’ data, and demands ransom payments. Recent intelligence from the FBI indicates that Medusa has shifted its focus to webmail services like Gmail and Outlook, along with VPN gateways that enable remote access to corporate networks. Once inside, attackers escalate privileges, steal sensitive data, and deploy ransomware payloads, furthering their impact.

In response to the escalating threat, the FBI has outlined key security recommendations. Users are urged to enable two-factor authentication (2FA) on all email accounts, VPNs, and remote access systems. Strong, unique passwords should be implemented, and account settings must be monitored for suspicious activity. Organizations and individuals are also advised to update software and security patches regularly to close known vulnerabilities. To limit unauthorized access, VPN connections should be restricted to trusted sources only.

The FBI’s advisory, designated AA25-071A, details Medusa’s attack methods and provides best practices for detecting and preventing ransomware incidents. Cybersecurity experts have also warned that Medusa’s phishing attacks are becoming increasingly sophisticated, with deceptive emails that mimic official communications to trick users into clicking malicious links or downloading infected attachments.

“Medusa has evolved its tactics to maximize impact,” said Tim Morris, Chief Security Advisor at Tanium. “They use PowerShell-based encryption commands and credential harvesting tools like Mimikatz to gain control over compromised systems before deploying ransomware payloads.”

The joint cybersecurity advisory from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) comes as concerns grow over the security of U.S. critical infrastructure. Industries such as healthcare, finance, and government agencies are considered particularly vulnerable. The White House has also urged organizations to strengthen their defenses against potential ransomware disruptions.