Introduction
The Cybersecurity and Infrastructure Security Agency (CISA) [2] [3] [5] [8] [10], in partnership with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) [8] [10], has issued a Cybersecurity Advisory concerning the Medusa ransomware-as-a-service (RaaS) variant [9]. This advisory highlights the significant threat posed by Medusa, which has increasingly targeted critical infrastructure sectors, and provides detailed insights into its tactics, techniques [4] [5] [6] [7] [8] [9] [10], and procedures (TTPs) [4] [5] [6] [9] [10].
Description
The Cybersecurity and Infrastructure Security Agency (CISA) [2] [3] [5] [8] [10], in collaboration with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) [8] [10], released a Cybersecurity Advisory on March 12, 2025, titled “#StopRansomware: Medusa Ransomware.” This advisory details the tactics [6], techniques [4] [5] [6] [7] [8] [9] [10], and procedures (TTPs) employed by the Medusa ransomware-as-a-service (RaaS) variant, which has significantly escalated its impact, affecting over 300 organizations across critical infrastructure sectors [5] [6] [7] [8] [9] [10], including healthcare [8], education [1] [2] [5] [8] [9] [10], legal [1] [5] [8] [9] [10], insurance [1] [2] [5] [8] [9] [10], technology [1] [5] [7] [8] [9] [10], and manufacturing [1] [2] [5] [8] [9] [10], as of January 2025—double the number from the previous year [1].
Identified as a RaaS variant since June 2021, Medusa operates on an affiliate model while the developers maintain control over key operations [9], such as ransom negotiations. The ransomware employs a double extortion scheme, encrypting victim data and threatening to publicly release exfiltrated confidential information if the ransom is not paid [2] [7] [8]. Initial access is typically gained through phishing campaigns [8], collaboration with initial access brokers (IABs) [9], and exploiting unpatched software vulnerabilities [6] [8] [9] [10]. Notable vulnerabilities include the ScreenConnect authentication bypass (CVE-2024-1709) and the Fortinet EMS SQL injection flaw (CVE-2023-48788) [8].
Once inside a network [8] [9], Medusa actors utilize legitimate administrative tools like PowerShell [8], AnyDesk [7] [8] [9], Atera [7] [8] [9], and ConnectWise to evade detection [7], move laterally [8], and deploy encryption payloads [8]. They also employ living-off-the-land (LotL) techniques [4] [9], blending in with normal network behavior [4], and utilize Rclone for data exfiltration to external cloud storage. The ransomware executes its encryptor, gaze.exe [5] [9], using tools such as Sysinternals PsExec, which encrypts files with AES-256 and terminates services related to backups and security [5]. Encrypted files are marked with a medusa extension [5].
Victims receive a ransom note demanding payment within 48 hours via a Tor-based live chat or Tox [5], an encrypted messaging platform [5] [8]. If there is no response [5], Medusa actors may escalate contact through phone or email [9]. The ransomware also operates a onion data leak site [5], where victims are listed alongside ransom demands and countdowns for data release [5]. Reports indicate that even after a ransom is paid [8], victims may face additional extortion demands from different Medusa actors [8], highlighting a potential triple extortion scheme [5]. The group gained notoriety in 2023 following high-profile attacks [1], including those on Toyota and the Minneapolis Public Schools board [1], with research indicating a 42% increase in Medusa ransomware attacks from 2023 to 2024 and a notable escalation in early 2025 [1].
CISA urges network defenders to review the advisory and implement the recommended mitigations to reduce the likelihood and impact of Medusa ransomware incidents [6]. To mitigate the risk of Medusa ransomware [5] [6], organizations are advised to keep operating systems [6], software [2] [6] [7] [8] [10], and firmware up to date [6] [10], prioritize patching known vulnerabilities—especially for internet-facing systems—segment networks to limit lateral movement, require multi-factor authentication [1], and filter network traffic to block access from unknown or untrusted sources [2] [6]. Additionally, CISA emphasizes the importance of security awareness training as a primary defense against social engineering [10], a significant vector for ransomware spread [10]. To further enhance security, AttackIQ has released a new assessment template that incorporates the latest TTPs revealed in the advisory [4], allowing security teams to evaluate their security posture against opportunistic adversaries and continuously validate detection and prevention measures [4]. Further guidance on ransomware protection, detection [2] [4] [6] [7] [8] [9] [10], and response can be found in the #StopRansomware Guide [6].
Conclusion
The Medusa ransomware poses a significant threat to critical infrastructure sectors, with its sophisticated tactics and potential for triple extortion. Organizations must remain vigilant and proactive in implementing the recommended mitigations to safeguard against such threats. Continuous evaluation and adaptation of security measures are crucial to counteract the evolving landscape of ransomware attacks. The advisory serves as a critical resource for understanding and mitigating the risks associated with Medusa ransomware.
References
[1] https://www.itpro.com/security/ransomware/medusa-ransomware-cisa-advisory
[2] https://executivegov.com/2025/03/medusa-ransomware-advisory/
[3] https://insidecybersecurity.com/daily-news/cisa-state-government-info-sharing-center-publish-details-medusa-ransomware-service
[4] https://www.attackiq.com/2025/03/13/cisa-advisory-aa25-071a/
[5] https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
[6] https://www.cisa.gov/news-events/alerts/2025/03/12/cisa-and-partners-release-cybersecurity-advisory-medusa-ransomware
[7] https://www.cybersecuritydive.com/news/medusa-ransomware-slams-critical-infrastructure-organizations/742428/
[8] https://www.infosecurity-magazine.com/news/cisa-fbi-warn-medusa-ransomware/
[9] https://cyberinsider.com/fbi-medusa-ransomware-has-breached-300-critical-infrastructure-organizations/
[10] https://www.manufacturing.net/cybersecurity/article/22935960/advisory-issued-for-medusa-ransomware
