CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month.

This was revealed in a joint advisory issued today in coordination with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

“As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing,” CISA, the FBI, and MS-ISAC warned on Wednesday.

“FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents.”

As the advisory explains, to defend against Medusa ransomware attacks, defenders are advised to take the following measures:

• Mitigate known security vulnerabilities to ensure operating systems, software, and firmware are patched within a reasonable timeframe,
• Segment networks to limit lateral movement between infected devices and other devices within the organization, and
• Filter network traffic by blocking access from unknown or untrusted origins to remote services on internal systems.

Medusa ransomware surfaced almost four years ago, in January 2021, but the gang’s activity only picked up two years later, in 2023, when it launched the Medusa Blog leak site to pressure victims into paying ransoms using stolen data as leverage.

Since it emerged, the gang has claimed over 400 victims worldwide and gained media attention in March 2023 after claiming responsibility for an attack on the Minneapolis Public Schools (MPS) district and sharing a video of the stolen data.

The group also leaked files allegedly stolen from Toyota Financial Services, a subsidiary of Toyota Motor Corporation, on its dark extortion portal in November 2023 after the company refused to pay an $8 million ransom demand and notified customers of a data breach.

Medusa was first introduced as a closed ransomware variant, where a single group of threat actors handled all development and operations. Although Medusa has since evolved into a Ransomware-as-a-service (RaaS) operation and adopted an affiliate model, its developers continue to oversee essential operations, including ransom negotiations.

“Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain initial access to potential victims,” they added. “Potential payments between $100 USD and $1 million USD are offered to these affiliates with the opportunity to work exclusively for Medusa.”

It’s also important to note that multiple malware families and cybercrime operations call themselves Medusa, including a Mirai-based botnet with ransomware capabilities and an Android malware-as-a-service (MaaS) operation discovered in 2020 (also known as TangleBot).

Due to this commonly used name, there’s also been some confusing reporting about Medusa ransomware, with many thinking it’s the same as the widely known MedusaLocker ransomware operation, although they’re entirely different operations.

Last month, CISA and the FBI issued another joint alert warning that victims from multiple industry sectors across over 70 countries, including critical infrastructure, have been breached in Ghost ransomware attacks.