The Cybersecurity and Infrastructure Security Agency (CISA) has revealed that the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors across the U.S. as of last month.
The disclosure came through a joint advisory in collaboration with the FBI and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
The advisory highlights that Medusa has targeted healthcare, education, legal, insurance, technology, and manufacturing industries. Security agencies are urging organizations to follow recommended mitigation measures, including:
- Patching vulnerabilities in operating systems, software, and firmware.
- Segmenting networks to prevent attackers from spreading across systems.
- Filtering network traffic to block unauthorized access to internal services.
Medusa ransomware first appeared in January 2021, but its activity surged in 2023 with the launch of the Medusa Blog, a leak site used to pressure victims into paying for ransom. Since then, the gang has claimed over 400 victims worldwide, including Toyota Financial Services and the Minneapolis Public Schools district.
Initially, Medusa operated as a closed ransomware variant, but it has since evolved into a Ransomware-as-a-Service (RaaS) model, recruiting affiliates from cybercriminal forums. These affiliates are reportedly offered payments ranging from $100 to $1 million to gain access to potential victims.
CISA and the FBI also noted that other cybercrime operations share the Medusa name, leading to confusion. This includes a Mirai-based botnet and an Android malware-as-a-service (MaaS) operation called TangleBot.
The warning comes after CISA and the FBI issued another alert last month regarding Ghost ransomware, which has targeted critical infrastructure in over 70 countries. Organizations are urged to take proactive security measures to reduce the risk of ransomware attacks.
