CISA: ‘Over 300 organizations struck by Medusa ransomware’

Over 300 organizations worldwide have been impacted by Medusa ransomware since it was first identified in June 2021.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have released a joint advisory to educate IT professionals about recent known Medusa ransomware tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IOCs).

According to the intelligence and cybersecurity agencies, Medusa has evolved from a closed ransomware variant into a Ransomware-as-a-Service (RaaS) operation, meaning affiliates can use Medusa’s hacking tools and infrastructure that were developed by skilled hackers in exchange for a cut of all illicit revenues.

As of February 2025, Medusa developers and affiliates have affected over 300 organizations and businesses globally. The industries that have been compromised include medical, education, legal, insurance, technology, and manufacturing.

To distribute its ransomware, Medusa developers typically recruit so-called initial access brokers (IABs) in cybercriminal forums and marketplaces. IABs are criminals engaged in infecting organizations and businesses by exploiting vulnerabilities and weaknesses in their cybersecurity. Once they succeed, they then sell access to corporate networks to malicious threat actors. Potential payments range from $100 to $1,000,000.

Medusa IABs are known to use common techniques such as phishing campaigns and exploitation of unpatched software vulnerabilities.

Once the attackers have gained access to a system, they use a variety of remote access tools already present in the victim’s environment as a means of evading detection, and to move laterally through the network and identify files for exfiltration.

Before the attackers set up the Medusa ransomware, they first install and use the program Rclone to facilitate exfiltration of data to the Medusa Command and Control servers (C2 servers) used by affiliates.

Next, the encryption software gaze.exe is deployed on files across the network to encrypt files and terminate all services related to backups, security, databases, communication, file sharing, and websites. Shadow copies are deleted and files are encrypted with AES-256 before dropping the ransom note.

Lastly, affiliates manually turn off and encrypt virtual machines and delete their previously installed tools.

The FBI, CISA, and MS-ISAC encourage organizations to implement security measures to mitigate cyber threats related to Medusa ransomware.

Businesses have to make sure that operating systems, software, and firmware are patched and up-to-date within a short timespan. To restrict lateral movement and access to sensitive information, corporate networks should be segmented. And businesses should filter and monitor their network traffic in order to prevent unknown origins from accessing remote services on internal systems.