In a joint advisory, US federal agencies have issued a cybersecurity warning about a sharp increase in attacks by Medusa ransomware, urging business leaders and IT teams to act immediately to protect their organizations.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released the advisory as part of the national #StopRansomware initiative, which focuses on helping entities defend against ransomware threats.
The Impact on Critical Infrastructure and Business Operations
Medusa ransomware is a Ransomware-as-a-Service (RaaS) operation first detected in 2021. Since then, Medusa has been used to hit over 300 entities, including those in healthcare, education, legal, insurance, technology, and manufacturing.
These attacks are especially dangerous because they use double extortion — encrypting company data and threatening to leak it publicly unless a ransom is paid.
Unlike some ransomware, Medusa is centrally operated, meaning ransom negotiations are tightly controlled, and affiliates are recruited to spread the malware in exchange for a cut of ransom payments.
“Potential payments between $100 USD and $1 million USD are offered to these affiliates with the opportunity to work exclusively for Medusa. Medusa IABs (affiliates) are known to make use of common techniques,” the advisory says.
For business leaders, an attack can result in crippled operations, legal liability for leaked data, regulatory fines, and reputational damage. For IT and security teams, the attacks highlight critical vulnerabilities in unpatched systems and weak network segmentation.
How Medusa Operates
Medusa actors gain access to networks in several ways, including phishing campaigns that steal user credentials and exploit unpatched software vulnerabilities, including known flaws like:
ScreenConnect (CVE-2024-1709) — an authentication bypass vulnerability.
Fortinet EMS (CVE-2023-48788) — an SQL injection flaw.
Once inside a network, Medusa uses tools like Advanced IP Scanner, PowerShell, and cmd.exe to map out systems and identify valuable data to steal or encrypt. Attackers also leverage legitimate remote management tools already present in victim environments to move undetected.
Common targets include:
- Critical databases (SQL, MySQL, Firebird)
- Remote access ports (RDP, SSH)
- Web proxies and file transfer ports (FTP, SFTP, HTTP, HTTPS)
Evading Detection
Medusa actors are skilled at avoiding detection. They hide malicious files and commands using PowerShell obfuscation and base64 encoding, and use Windows legitimate tools like certutil to avoid triggering antivirus software.
Also, they disable endpoint detection tools, create firewall rules to maintain access and steal administrator credentials with tools like Mimikatz to spread further inside the network. Once inside, they use Rclone for data exfiltration and deploy the gaze.exe encryptor to lock down files, adding a .medusa extension to encrypted files.
Organizations Should Act Now
Business leaders and IT teams are urged to take immediate steps to prevent or limit the impact of a Medusa ransomware attack:
- Patch all known vulnerabilities, especially for public-facing services like VPNs, RDP, and third-party remote support tools.
- Segment networks to prevent malefactors from moving laterally once inside — limit what each part of your network can access.
- Block inbound connections from unknown or untrusted IP addresses.
- Limit user permissions and implement multifactor authentication (MFA) to reduce credential-based attacks.
- Monitor for abnormal PowerShell or CMD activity, especially those using encoded commands.
- Disable unused remote management tools that attackers may leverage, such as AnyDesk or ConnectWise, unless explicitly needed.
- Regularly back up data offline and test restoration processes to ensure business continuity in case of an attack.
- Educate employees on how to spot phishing emails — a common entry point for these attacks.
The Bigger Picture
The Medusa ransomware advisory comes amid a broader rise in ransomware attacks targeting critical infrastructure and major business sectors. These incidents are not only IT issues but business risks that can halt operations, disrupt supply chains and expose sensitive client and employee data.
Executive teams should insist on a ransomware risk assessment from their security leaders. IT teams should verify that critical patches have been applied and review incident response plans to ensure readiness. Entities should coordinate with law enforcement and industry groups to stay informed of the latest threats.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.