Federal officials have issued a new cybersecurity warning about the Medusa ransomware variant, which has hit over 300 organizations across critical sectors, including healthcare, education, law, insurance, and manufacturing.
In a joint advisory, the FBI, CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) outlined the latest tactics, techniques, and indicators of compromise (IOCs) linked to Medusa ransomware as recently as February 2025.
Originally emerging in 2021 as a ransomware-as-a-service (RaaS) operation, Medusa actors now deploy a double-extortion model, stealing data and threatening public leaks if victims refuse to pay.
How Medusa Ransomware Attacks
Medusa affiliates gain access through phishing campaigns or exploiting known software vulnerabilities, such as ScreenConnect (CVE-2024-1709) and Fortinet EMS (CVE-2023-48788).
Once inside, attackers use PowerShell scripts, remote access tools, and credential-harvesting software like Mimikatzto move laterally and deploy the ransomware. The gaze.exe encryptor is then spread across systems, disabling security tools, deleting backups, and encrypting files with .medusa extensions.
Victims are directed to pay through Tor-based chats or encrypted messaging platforms. In some cases, victims reported double or triple extortion attempts, where hackers demanded further payments even after the ransom was paid.
Defense Recommendations
The advisory urges organizations to:
Segment networks and implement multi-factor authentication
Update and patch systems against known vulnerabilities
Monitor for abnormal activity and remote access attempts
Secure backups offline and test restoration processes
Limit administrative privileges and disable unused ports
The agencies strongly discourage ransom payments, warning that paying does not guarantee recovery and may fund further attacks.
The full advisory, technical details, and mitigation resources are available at stopransomware.gov. Organizations are urged to report any ransomware incidents to the FBI’s Internet Crime Complaint Center (IC3) or CISA’s reporting systems.
