CISA says the Medusa ransomware operation has impacted over 300 organizations in crucial infrastructure sectors in america till final month.
This was revealed in a joint advisory issued at the moment in coordination with the Federal Bureau of Investigation (FBI) and the Multi-State Data Sharing and Evaluation Middle (MS-ISAC).
“As of February 2025, Medusa builders and associates have impacted over 300 victims from quite a lot of crucial infrastructure sectors with affected industries together with medical, training, authorized, insurance coverage, expertise, and manufacturing,” CISA, the FBI, and MS-ISAC warned on Wednesday.
“FBI, CISA, and MS-ISAC encourage organizations to implement the suggestions within the Mitigations part of this advisory to cut back the chance and impression of Medusa ransomware incidents.”
Medusa ransomware surfaced nearly 4 years in the past, in January 2021, however the gang’s exercise solely picked up two years later, in 2023, when it launched the Medusa Weblog leak website to stress victims into paying ransoms utilizing stolen information as leverage.
Because it emerged, the gang has claimed over 400 victims worldwide and gained media consideration in March 2023 after claiming duty for an assault on the Minneapolis Public Faculties (MPS) district and sharing a video of the stolen information.
The group additionally leaked information allegedly stolen from Toyota Monetary Providers, a subsidiary of Toyota Motor Company, on its darkish extortion portal in November 2023 after the corporate refused to pay an $8 million ransom demand and notified prospects of an information breach.
Medusa was first launched as a closed ransomware variant, the place a single group of menace actors dealt with all improvement and operations. Though Medusa has since developed right into a Ransomware-as-a-service (RaaS) operation and adopted an affiliate mannequin, its builders proceed to supervise important operations, together with ransom negotiations.
Because the advisory explains, to defend in opposition to Medusa ransomware assaults, defenders are suggested to take the next measures:
- Mitigate recognized safety vulnerabilities to make sure working programs, software program, and firmware are patched inside an inexpensive timeframe.
- Phase networks to restrict lateral motion between contaminated units and different units inside the group.
- Filter community site visitors by blocking entry from unknown or untrusted origins to distant providers on inside programs.
It is also vital to notice that a number of malware households and cybercrime operations name themselves Medusa, together with a Mirai-based botnet with ransomware capabilities and an Android malware-as-a-service (MaaS) operation found in 2020 (often known as TangleBot).
As a consequence of this generally used title, there’s additionally been some complicated reporting about Medusa ransomware, with many considering it is the identical because the extensively recognized MedusaLocker ransomware operation, though they’re solely completely different operations.
Final month, CISA and the FBI issued one other joint alert warning that victims from a number of business sectors throughout over 70 international locations, together with crucial infrastructure, have been breached in Ghost ransomware assaults.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and defend in opposition to them.
