What is the FBI warning on the Medusa threat?

The FBI, CISA, and the MS-ISAC released a joint warning about malicious ransomware known as Medusa. The threat has been around since 2021 but has shifted from being internally operated to seeking other cyber criminals to execute the crime. The ransomware uses a double extortion tactic where it steals and also encrypts the data so the victim cannot access it. The attackers then blackmail the victim into paying them to have the data decrypted and kept private.

What types of cyber attacks are ransomware?

Ransomware refers to a type of malware that infiltrates a victim’s system or account and locks them out of it until a ransom is paid. The Medusa ransomware is one such attack and it has affected over 300 victims since it was introduced around 2021.

What happens if you are attacked by the Medusa ransomware?

The Medusa actors hold user data hostage and encrypt it so the victims cannot access or protect the data. The cybercriminals then send a ransom note to the victim to contact them in a protected space and give them 48 hours to pay the ransom. The victim’s data is held hostage on the Medusa data leak site and victims either have to pay in cryptocurrency to have their data decrypted or pay to have the deadline increased by a day.

What is an indicator of a ransomware attack?

The early signs of a ransomware attack can vary but they all typically involve unusual activities, changes in network flow, unauthorized access to files, repeated failed log-in attempts to accounts, sudden spikes in access to specific data, files becoming inaccessible unexpectedly, and disabled security measures. Sometimes systems become slow to respond as well, so system administrators need to be on high alert for possible alterations to or invasions in their systems.

FBI Warning Issued for Medusa Threat: Everything You Need to Know

An FBI warning has been released regarding the Medusa threat, a ransomware attack that has claimed over 300 victims so far. The Medusa ransomware FBI advisory was released on March 12, 2025, but the investigation into the matter has been ongoing since the ransomware-as-a-service (RaaS) variant was first identified in June 2021.

The advisory was issued as a result of a joint ransomware control initiative between the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). The Medusa ransomware has affected critical infrastructure sectors across industries, so it’s best to keep your guard up and ensure you stay protected from the threats that are infiltrating the online space.

So, how to protect ourselves from the Medusa ransomware? Let’s explore that in detail.

The FBI warning Medusa threat may have come a few days ago, but the threat is far from over. These attacks can occur at any time. (Image: Pexels)

CISA, FBI Issue Warning on Medusa Threat—What Is It and What Should You Do?

With each passing day, the number of cybersecurity threats keeps multiplying. Setting aside the dangers of AI tools that are also making being online unsafe, we have malicious players who are always in pursuit of your data and money. Some choose to use wayward means to access and misuse your data and credentials directly, while others steal the data in order to blackmail you into paying them in exchange for releasing it safely back to you. The Medusa ransomware is one such threat currently making the rounds.

The FBI warning on the Medusa threat suggests that this danger has been around since 2021, and it uses a double extortion tactic where it first steals and extracts sensitive user data before encrypting it so that the victim can’t access it either. Holding the data hostage, it threatens to release the data publicly and also ensures the victim can’t do anything to protect the information now until they pay the attackers what they are asking for.

Operation History of the Medusa Ransomware: Notes from the FBI Advisory

The Medusa ransomware began as a closed operation around 2021, where the developers were the ones to execute and follow through with the attack. Now, it appears that it has shifted to an affiliate model where other cybercriminals—affiliates—use the ransomware to carry out the attack, and the developers control only part of the operation.

This likely makes it harder to track all the players involved in the attack. All the attackers are collectively referred to as “Medusa actors” in the Medusa ransomware FBI advisory. Over 300 victims have been recorded, and the Medusa ransomware targets critical infrastructure like government, education, and healthcare, making it extremely dangerous to society.

#Medusa #Ransomware Activity Continues to Increase – Attacks using this ransomware jumped 42% between 2023 and 2024. Read more in our new blog: https://t.co/TraDkLYZcA pic.twitter.com/ClMyRofiXe

— Threat Intelligence (@threatintel) March 6, 2025

How Does the Medusa Ransomware Operate?

The FBI warning notice on the Medusa threat also explains how these Initial Access Brokers (IABs) are recruited. The Medusa developers turn to cybercriminal forums and marketplaces to seek out these affiliates who can help them execute the attack, offering them between $100 to $1 million USD to participate in this malicious plan.

These IABs who take on the job then use deceptive tactics like phishing emails to steal the victims’ credentials and gain access to their accounts. These can take the form of bogus emails with malicious links that misdirect the users. They also exploit vulnerabilities in various software that have not been patched to bypass any security measures attempting to protect the users’ data.

There are two specific vulnerabilities mentioned in the advisory. One is the ScreenConnect vulnerability CVE-2024-1709, which allows the attacker to bypass the authentication requirement and access user data. Another one is the Fortinet EMS SQL injection vulnerability CVE-2023-48788, which allows these IABs to add malicious code into the software to gain access to the database and control the internal systems.

The combination of social engineering tactics and technical exploitation of vulnerabilities makes it hard to predict where an attack might come from next.

How Does the Medusa Ransomware Evade Detection?

You might think that software operators would be able to pick up on these invasive activities and block out the attackers but unfortunately, the Medusa actors use clever techniques to evade detection. Attackers primarily rely on Living Off The Land (LOTL) techniques which means that they use systems and tools native to the platform to stay hidden as they operate.

They use command lines such as certutil.exe which is used to manage certificates, or employ various PowerShell techniques like Medusa actors employ various PowerShell techniques to hide their malicious activities such as Base64 Encrypted Commands [T1027.013] or String Obfuscation [T1027]. The attackers also delete their PowerShell command history to further disguise their tracks.

Medusa actors also use remote access software like AnyDesk, Atera, ConnectWise, eHorus, and N-able, in combination with Remote Desktop Protocol (RDP) and PsExec to travel through the network and identify what they want to extract and encrypt.

The FBI has an extensive list of shell commands discovered during their investigations that should be studied by system providers who want to keep their services safe from these vulnerabilities.

Medusa ransomware developers and affiliates, active since June 2021, have impacted over 300 victims across various U.S. critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing.https://t.co/84zoLQ7Ygu pic.twitter.com/cuYs43MVD8

— Alena Popova (@alenapopova) March 13, 2025

What Else Do We Know About the FBI CISA Cybersecurity Alert for 2025?

Once the attackers are able to capture the data, they blackmail the victims to pay if they want the data decrypted and protected from further release. Victims receive a ransomware note with a 48-hour deadline to respond via a Tor browser-based live chat or via Tox, an end-to-end encrypted instant messaging platform. If there’s no response, they reach out via phone or email.

Medusa operates via a .onion data-leak site, where you can see the victims and the countdown for when their data will be released if they do not comply with the criminals. Along with the ransomware demands, the site also has hyperlinks to Medusa-affiliated cryptocurrency wallets and ads for the sale of the data to interested parties if the countdown runs out without any action from those affected.

If that wasn’t malicious and self-serving enough, the attackers also presented victims with the option of paying $10,000 USD in cryptocurrency to extend the timer by one day.

Medusa ransomware critical infrastructure

If you spend any time online, you need to be aware of the best online practices that can keep you safe. (Image: Freepik)

How to Protect from Medusa Ransomware? FBI-CISA Ransomware Protection Tips

The FBI-CISA cybersecurity alert for 2025 was not intended solely to raise the alarm but also to provide some recommendations on how to stay protected against the Medusa ransomware. These attackers spend all of their free time exploring and exploiting vulnerabilities so it can be difficult to detect their attacks when they do get started infiltrating a system. It is best to frequently update and improve systems to foil their progress and ensure that your users stay safe.

The FBI warning on the Medusa threat makes it the central topic of our conversation today, but there are some safety measures that individuals and organizations need to look into as best practices to stay safe online at all times. Let’s look at the FBI-CISA ransomware protection tips to learn how you can keep your data safe.

Establish a recovery plan in advance and ensure that you diversify how and where your data is stored so that one breach does not compromise all of your data at once
All account passwords should comply with NIST’s standards and use long passwords to ensure they are protected
Look into enabling 2-factor or multi-factor authentication as much as possible to add additional layers of protection
Ensure all systems, software, and firmware are up-to-date at all times to minimize any room for breaches to occur
Segment networks so that the silos can prevent the ransomware from spreading through the whole system and filter the network traffic to block untrustworthy sources
Use networking monitoring tools to track traffic and detect any unusual activity as it might be a potential sign of a ransomware attack
For remote access, ensure VPNs and Jump Hosts are employed
Keep your eyes out for any unauthorized scanning and access attempts so that they can be investigated at once
Auditing user accounts and reviewing domain controllers, servers, workstations, and active directories for any unrecognized accounts
Disable unused ports, command-line, and scripting activities and permission to make it harder for these Medusa actors to run their plots
All backup data should be encrypted and immutable across the organization
Validate and test your security controls against techniques mentioned in the advisory notice
Report any signs of malicious activity so that concerned authorities can create a record of it and further utilize the data in future advisory notes that might protect other organizations

Why Enable 2FA Now?

Multi-factor authentication is a great way to add layers to your security that make it harder for an attacker to bypass. While an attacker may be able to access passwords, they may not always have access to the victim’s secondary device where they receive the rest of the information to log in safely.

Whether you’re an individual user or an organization looking into the security of your systems, two-factor or multifactor authentication is a useful strategy to consider.

Use VPNs and Antivirus Software to Stay Safe Online

We live in a chaotic world where hackers and attackers are always looking to make a quick buck. It’s hard to comprehend their sense of enjoyment and pride over these attacks, but they’re not going anywhere soon. Whether you run a big business or a small one, protecting your data, from sensitive client information to critical project content, should be a top priority.

It is important to regularly check that all systems are functional and up-to-date and that there is someone constantly monitoring the network for any unusual activity. It is best to raise the alarm first and investigate, rather than downplay an issue and then regret it later. There are multiple online software tools that you can invest in, from VPNs and password managers to antivirus software and network manager tools that can keep you safe.

Explore what tools you need to keep your data safe and hire experts who can do a better job of monitoring them than you can as an outsider to the intricacies of its operations.

Staying educated about the realm of cybersecurity will be one of the most beneficial things you can do for yourself and your organization. For more breakdowns of ransomware attacks and other security vulnerabilities, come back to Technowize or subscribe so you never miss out on an issue.

[mashshare]

[ssba]

tagged in FBI CISA cybersecurity alert 2025, FBI CISA ransomware protection tips, FBI warning Medusa threat, How to protect from Medusa ransomware, Medusa ransomware attack warning, Medusa ransomware critical infrastructure, Medusa ransomware FBI advisory