WASHINGTON — The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory this week, alerting organizations to the escalating danger posed by the Medusa ransomware-as-a-service (RaaS) scheme. First identified in 2021, Medusa has surged in activity, impacting over 300 victims since February 2025 across key industries such as medical, education, legal, insurance, technology, and manufacturing.
The advisory, released on March 12, 2025, details Medusa’s primary tactic: phishing campaigns designed to steal credentials. Once inside a network, Medusa actors—comprising developers and affiliates—deploy a double extortion strategy. They encrypt victims’ data and threaten to leak it publicly unless a ransom is paid.
CISA noted that Medusa operates a data-leak site on the dark web, displaying victim names with countdown timers signaling when stolen information will be released or sold. “Ransom demands are posted on the site, with direct hyperlinks to Medusa-affiliated cryptocurrency wallets,” the advisory stated. Victims can delay exposure by paying $10,000 in cryptocurrency to extend the timer by one day.
Since its emergence in June 2021, Medusa has evolved from a closed operation to an affiliate model, though developers retain control over ransom negotiations. The group’s reach has broadened, targeting critical infrastructure sectors with devastating effect. The 300-plus victim count reflects incidents tracked through February 2025, with the true toll possibly higher, according to cybersecurity experts cited by Symantec’s Threat Hunter Team.
To counter the threat, federal officials urged immediate action. Recommendations include patching operating systems, software, and firmware to close vulnerabilities often exploited by Medusa. They also advised implementing multifactor authentication (MFA) for all services, particularly email and virtual private networks (VPNs), to bolster security. “MFA adds a critical layer of protection against compromised credentials,” CISA emphasized. Additional guidance includes using long passwords and avoiding frequent password changes, which can weaken defenses by encouraging simpler, reusable options.
The advisory underscores Medusa’s operational sophistication. Beyond encryption, actors advertise stolen data for sale to third parties if ransoms go unpaid, amplifying pressure on victims. The FBI and CISA discourage payments, noting they don’t guarantee data recovery and may fuel further attacks. Instead, they encourage reporting incidents to the FBI’s Internet Crime Complaint Center or CISA’s 24/7 Operations Center at report@cisa.gov or 1-844-729-2472.
The warning aligns with broader cybersecurity concerns. A 2023 study cited by the Department of State found cybercrime spiked 400% during the COVID-19 pandemic, a trend persisting into 2025 with high-profile breaches like the UnitedHealth hack affecting millions. Medusa’s focus on critical sectors heightens the stakes, potentially disrupting healthcare delivery, educational operations, and industrial output.
Organizations are urged to act swiftly as Medusa’s campaign shows no signs of slowing. The advisory provides a roadmap for resilience, rooted in basic but effective cybersecurity practices.