Medusa Ransomware Targets Over 300 Critical Infrastructure Organizations

The Medusa ransomware gang has launched attacks against more than 300 organizations in critical sectors, including healthcare, education, legal, insurance, technology, and manufacturing, according to a joint advisory from U.S. cybersecurity agencies.

The FBI, CISA, and MS-ISAC warned that the ransomware-as-a-service operation, active since June 2021, continues to exploit unpatched vulnerabilities and use phishing tactics to gain access to victims’ systems. The group’s affiliates have recently been observed exploiting flaws in widely used tools, including CVE-2024-1709 (affecting ScreenConnect) and CVE-2023-48788 (impacting Fortinet products).

Unlike some ransomware gangs that operate openly on cybercriminal forums, Medusa started as a closed operation before transitioning to an affiliate model. The group recruits initial access brokers (IABs) and offers payments ranging from $100 to $1 million in exchange for access to potential victims. Despite this expansion, Medusa’s core developers still control ransom negotiations.

Victims receive a ransom demand with a 48-hour deadline, after which the hackers escalate their threats by reaching out via phone or email. The group’s leak site advertises stolen data for sale, amplifying the pressure on victims. In one FBI-documented case, a Medusa affiliate attempted a triple extortion scheme, falsely claiming the original ransom had been stolen and demanding an additional payment for a “true decryptor.”

Medusa has gained notoriety for high-profile breaches, including a 2023 attack on Minneapolis Public Schools that exposed sensitive student records. The group has also targeted government agencies in the Philippines, municipalities in France, and technology firms in Canada. U.S. state and local governments in Illinois and Texas have also fallen victim to the ransomware gang, though one of its recent claims regarding an attack on Aurora, Colorado, was disputed by city officials.

With Medusa’s continued activity and evolving extortion tactics, cybersecurity experts urge organizations to patch vulnerabilities, strengthen phishing defenses, and develop robust incident response plans