Federal authorities, including the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), have raised a red flag about the escalating danger posed by the Medusa ransomware group. The cybercriminal organization has intensified its assault, focusing more on users of major email service providers such as Gmail and Outlook. Medusa’s influence spans across various sectors, with healthcare, education, legal services, insurance, technology, and manufacturing being some of the most affected industries.
The recent surge in activity has prompted urgent calls for enhanced cybersecurity measures to fend off the growing ransomware threat. A ransomware advisory released in early March 2025 highlights a significant surge in Medusa ransomware attacks. Cybersecurity threat intelligence firm Cyble reported a 45% increase in the group’s operations in 2025 compared to the previous year. The number of reported victims has been on the rise, with 60 new victims by early March, indicating a potential surpassing of 300 incidents in 2025, a sharp increase from 211 in 2024. February saw a spike, with 33 victims reported in just one month, marking it as the busiest month for ransomware activity across all variants.
Initially identified in June 2021, Medusa ransomware started as a closed system managed by a single group of cybercriminals but has evolved into a Ransomware-as-a-Service (RaaS) model. In this model, the core developers handle ransom negotiations while enlisting affiliates to carry out the attacks. These affiliates are often cybercriminals hired through online platforms, with payments ranging from $100 to $1 million for successful attacks.
One of Medusa ransomware’s key attributes is its sophisticated defense evasion tactics. The group utilizes Living Off the Land (LOTL) strategies, exploiting legitimate system tools to execute attacks, making detection more challenging. They employ obfuscated PowerShell scripts, encode commands in base64, split strings into smaller parts, and manipulate signed drivers to disable endpoint detection and response tools, evading detection and maintaining control within the victim network.
Furthermore, Medusa actors are adept at lateral movement within compromised networks, using various tools like AnyDesk, ConnectWise, and Splashtop along with RDP and PsExec to navigate the system and maintain control. They also exfiltrate stolen data using the Rclone tool to their Command and Control servers, encrypt files using AES-256 encryption, and delete backup systems and shadow copies before starting the encryption process.
The group’s double extortion strategy involves encrypting data and threatening to release sensitive information publicly unless the ransom is paid. Victims are contacted through encrypted messaging platforms, and a ransom note is dropped on infected systems outlining payment instructions. Medusa has also operated a .onion data leak site, where they publish victim names and countdown timers for releasing stolen data.
In conclusion, organizations must bolster their cybersecurity defenses by implementing software patches, enforcing strong authentication measures, maintaining secure backups, and deploying endpoint detection tools to mitigate the risk of falling victim to ransomware attacks. Real-time threat intelligence is crucial, and AI-driven cybersecurity platforms like Cyble’s can provide advanced monitoring and detection capabilities to stay ahead of emerging threats. By staying informed, leveraging federal cybersecurity resources, and adopting proactive security measures, businesses and individuals can better protect their data against the persistent threat of ransomware.