The FBI, along with the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a serious warning about the Medusa ransomware. This cyberattack has already compromised over 300 organizations that provide essential services, including hospitals, schools, law firms, insurance companies, technology firms, and manufacturers.
Medusa is a type of ransomware-as-a-service (RaaS), which means that different cybercriminals can use it to launch attacks while its creators manage key aspects like ransom negotiations. The attackers use a “double extortion” strategy. First, they lock victims out of their own files by encrypting them. Then, they threaten to release the stolen data publicly if the victim does not pay the ransom. This method puts immense pressure on organizations to meet the hackers’ demands.
How Medusa Ransomware Works
Medusa ransomware first appeared in June 2021 and was originally run by a small group. However, it has since grown into a larger network where different criminals can pay to use it. The FBI’s latest investigation, completed as recently as February 2025, has revealed the methods these hackers use to break into computer systems.
Step 1: Getting Inside the System
Hackers working with Medusa often buy access to networks from “initial access brokers” (IABs). These brokers gain entry into a system by tricking employees through fake emails (phishing attacks) or by taking advantage of software weaknesses that have not been fixed. Two major security flaws that Medusa has been using are:
- CVE-2024-1709 – A security gap in ScreenConnect that allows attackers to bypass authentication.
- CVE-2023-48788 – A weakness in Fortinet EMS that lets hackers sneak in using SQL injection attacks.
Step 2: Spying and Spreading Inside the Network
Once inside, Medusa’s operators try to blend in with normal computer activity. They use common Windows tools like PowerShell and the Command Prompt to avoid raising suspicion. To gather information about the system, they use software such as:
- Advanced IP Scanner
- SoftPerfect Network Scanner
Hackers also install remote access tools like AnyDesk, Atera, and ConnectWise. These programs help them stay inside the network for long periods without being noticed. Using Remote Desktop Protocol (RDP) and a tool called PsExec, they move across different computers within the organization.
One particularly dangerous trick they use is Mimikatz, a tool that steals passwords stored in the system. This allows them to gain full access to important accounts, making it easier to take over the entire network.
Step 3: Stealing and Locking Data
Before locking files, Medusa’s attackers steal sensitive data using Rclone, a program that copies files to cloud storage. Then, they deploy a file-encrypting program called gaze.exe, which:
- Encrypts all files with strong AES-256 encryption and adds a .medusa extension to them.
- Shuts down key services like backups, security programs, and database systems to prevent recovery.
- Deletes shadow copies (automatic backups made by Windows), making it impossible to restore files without the decryption key.
After the encryption process, the hackers give victims 48 hours to respond. They force organizations to negotiate using Tor-based live chat or Tox messenger, which are anonymous communication platforms. If victims ignore them, the hackers go one step further and call or email them directly to demand payment.
Medusa Ransomware: How Cybercriminals Exploit Vulnerabilities
Medusa operators maintain a secret website on the dark web, where they list their victims and show countdown timers that indicate when stolen data will be released. This puts extra pressure on organizations to pay. In some cases, even after victims pay the ransom, another criminal might claim that the first payment was stolen. These hackers then demand more money for the “real” decryption key, showing just how untrustworthy these ransom deals can be.
The FBI, CISA, and MS-ISAC strongly advise against paying ransom. There is no guarantee that victims will get their files back, and paying only encourages hackers to continue attacking other organizations. Instead, authorities urge companies to report any incidents immediately to the FBI’s Internet Crime Complaint Center (IC3), local FBI field offices, or CISA’s official reporting system.
Cyberattacks like Medusa ransomware pose a serious threat to public and private sectors. Organizations must stay alert, patch vulnerabilities, and educate employees to prevent falling victim to these increasingly aggressive cybercriminals.
