Newsinterpretation

Medusa Ransomware Crisis: 300 Major Organizations Under Siege

The FBI, along with the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has issued a serious warning about the Medusa ransomware. This cyberattack has already compromised over 300 organizations that provide essential services, including hospitals, schools, law firms, insurance companies, technology firms, and manufacturers.

Medusa is a type of ransomware-as-a-service (RaaS), which means that different cybercriminals can use it to launch attacks while its creators manage key aspects like ransom negotiations. The attackers use a “double extortion” strategy. First, they lock victims out of their own files by encrypting them. Then, they threaten to release the stolen data publicly if the victim does not pay the ransom. This method puts immense pressure on organizations to meet the hackers’ demands.

How Medusa Ransomware Works

Medusa ransomware first appeared in June 2021 and was originally run by a small group. However, it has since grown into a larger network where different criminals can pay to use it. The FBI’s latest investigation, completed as recently as February 2025, has revealed the methods these hackers use to break into computer systems.

Step 1: Getting Inside the System

Hackers working with Medusa often buy access to networks from “initial access brokers” (IABs). These brokers gain entry into a system by tricking employees through fake emails (phishing attacks) or by taking advantage of software weaknesses that have not been fixed. Two major security flaws that Medusa has been using are:

  • CVE-2024-1709 – A security gap in ScreenConnect that allows attackers to bypass authentication.
  • CVE-2023-48788 – A weakness in Fortinet EMS that lets hackers sneak in using SQL injection attacks.

Step 2: Spying and Spreading Inside the Network

Once inside, Medusa’s operators try to blend in with normal computer activity. They use common Windows tools like PowerShell and the Command Prompt to avoid raising suspicion. To gather information about the system, they use software such as:

  • Advanced IP Scanner
  • SoftPerfect Network Scanner

Hackers also install remote access tools like AnyDesk, Atera, and ConnectWise. These programs help them stay inside the network for long periods without being noticed. Using Remote Desktop Protocol (RDP) and a tool called PsExec, they move across different computers within the organization.

One particularly dangerous trick they use is Mimikatz, a tool that steals passwords stored in the system. This allows them to gain full access to important accounts, making it easier to take over the entire network.

Step 3: Stealing and Locking Data

Before locking files, Medusa’s attackers steal sensitive data using Rclone, a program that copies files to cloud storage. Then, they deploy a file-encrypting program called gaze.exe, which:

  • Encrypts all files with strong AES-256 encryption and adds a .medusa extension to them.
  • Shuts down key services like backups, security programs, and database systems to prevent recovery.
  • Deletes shadow copies (automatic backups made by Windows), making it impossible to restore files without the decryption key.

After the encryption process, the hackers give victims 48 hours to respond. They force organizations to negotiate using Tor-based live chat or Tox messenger, which are anonymous communication platforms. If victims ignore them, the hackers go one step further and call or email them directly to demand payment.

Medusa Ransomware: How Cybercriminals Exploit Vulnerabilities

Medusa operators maintain a secret website on the dark web, where they list their victims and show countdown timers that indicate when stolen data will be released. This puts extra pressure on organizations to pay. In some cases, even after victims pay the ransom, another criminal might claim that the first payment was stolen. These hackers then demand more money for the “real” decryption key, showing just how untrustworthy these ransom deals can be.

The FBI, CISA, and MS-ISAC strongly advise against paying ransom. There is no guarantee that victims will get their files back, and paying only encourages hackers to continue attacking other organizations. Instead, authorities urge companies to report any incidents immediately to the FBI’s Internet Crime Complaint Center (IC3), local FBI field offices, or CISA’s official reporting system.

Cyberattacks like Medusa ransomware pose a serious threat to public and private sectors. Organizations must stay alert, patch vulnerabilities, and educate employees to prevent falling victim to these increasingly aggressive cybercriminals.

Renuka Bangale
Renuka is a distinguished Chartered Accountant and a Certified Digital Threats Analyst from Riskpro, renowned for her expertise in cybersecurity. With a deep understanding of cybercrimes, malware, cyber warfare, and espionage, she has established herself as an authority in the field. Renuka combines her financial acumen with advanced knowledge of digital threats to provide unparalleled insights into the evolving landscape of information security. Her analytical prowess enables her to dissect complex cyber incidents, offering clarity on risks and mitigation strategies. As a key contributor to Newsinterpretation’s information security category, Renuka delivers authoritative articles that educate and inform readers about emerging threats and best practices.

TOP 10 TRENDING ON NEWSINTERPRETATION

“Pay more and enjoy nothing”—Newsom torches Trump’s tariff push as costs for food, cars, and flights soar

California Governor Gavin Newsom has strongly criticized President Donald...

Eric Trump explodes on Newsmax — claims Biden tried to break up Donald and Melania’s marriage

Eric Trump has sparked fresh controversy after making a...

Republicans brace as AOC’s rising momentum threatens to upend 2026 and 2028 elections

Republicans warn their party not to underestimate Representative Alexandria...

WestJet Reveals Passenger Data Breach Raising Security Concerns

Canadian airline WestJet has confirmed that some passenger information...

Japanese beer giant Asahi confirms cyberattack halts shipping and ordering in Japan temporarily

Japanese beer giant Asahi has confirmed a cyber attack...

Leaked emails expose Epstein’s secret hand in Israel–Mongolia security pact with Barak

A new set of leaked emails shows Jeffrey Epstein...

Award stage turns battlefield as Harris brands Trump an unchecked, incompetent and unhinged President

Kamala Harris, the former vice president and 2024 Democratic...

Newsom office doubles down on fascist label for Miller citing his political actions and views

Newsom’s Office Takes a Bold Stance California Governor Gavin Newsom’s...

The privacy-first app that just blew past 350,000 new users a day

Explosive Growth Surprises Users Arattai, the messaging app developed by...

Federal firepower hits AOC’s Queens district as FBI targets Roosevelt Avenue crime empire

The FBI has moved into action in Queens, New...

Republicans brace as AOC’s rising momentum threatens to upend 2026 and 2028 elections

Republicans warn their party not to underestimate Representative Alexandria...

WestJet Reveals Passenger Data Breach Raising Security Concerns

Canadian airline WestJet has confirmed that some passenger information...

Newsom office doubles down on fascist label for Miller citing his political actions and views

Newsom’s Office Takes a Bold Stance California Governor Gavin Newsom’s...
error: Content is protected !!
Exit mobile version