The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a cybersecurity advisory warning that the Medusa ransomware has compromised over 300 critical infrastructure entities across the US, as of last month. The joint alert has been published in collaboration with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
The advisory, published as part of the “#StopRansomware: Medusa Ransomware” initiative, provides details on the tactics, techniques, and procedures (TTPs) used by Medusa ransomware actors, along with indicators of compromise (IOCs) and detection methods. CISA noted that Medusa, which operates as a Ransomware-as-a-Service (RaaS) variant, has targeted entities across different industries including healthcare, education, legal, insurance, technology, and manufacturing.
The collaborative warning from CISA, the FBI, and MS-ISAC urges organisations to adopt recommended mitigation strategies to minimise the risk and consequences of Medusa ransomware incidents. These strategies include promptly mitigating known security vulnerabilities by patching operating systems, software and firmware; segmenting networks to restrict lateral movement, and filtering network traffic to block access from untrusted sources to internal systems.
“CISA encourages network defenders to review the advisory and implement the recommended mitigations to reduce the likelihood and impact of Medusa ransomware incidents,” the agency said.
How Medusa ransomware operates
The Medusa RaaS variant was first detected in January 2021. According to CISA, it initially functioned as a closed ransomware variant, with a single group managing its development and operations. It has since adopted an affiliate-based model, although key functions such as ransom negotiations remain under the control of its developers. Both Medusa developers and affiliates, collectively referred to as ‘Medusa actors’ in the advisory, use a double extortion tactic by encrypting victim data while threatening to expose stolen information if the ransom is not paid.
Medusa developers recruit initial access brokers (IABs) through cybercriminal forums and marketplaces to gain entry into targeted systems. These affiliates are offered payments ranging from $100,000 to $1m, with some given the opportunity to work exclusively for Medusa. To infiltrate networks, Medusa affiliates commonly use phishing campaigns to steal victim credentials and exploit unpatched software vulnerabilities.
The ransomware group made headlines in March 2023 after attacking the Minneapolis Public Schools district and leaking sensitive data, reported BleepingComputer.
In December 2024, CISA warned senior officials and politicians to enhance mobile security following reports of cyber intrusions linked to Chinese state-backed hackers targeting US telecommunications infrastructure.
Read More: US DHS dismisses claims of CISA ending Russian cyber threat monitoring
