Over 300 entities in vital sectors like healthcare, technology, and manufacturing have fallen prey to a ransomware variant identified as Medusa. With significant increases in attacks reported in the initial months of 2025, both the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are urging organizations to fortify their cyber defenses promptly.

Understanding Medusa Ransomware

Medusa operates as ransomware-as-a-service, encrypting data once it has infiltrated a system. Victims face a threat of having their stolen data published unless they meet ransom demands.

As indicated in the CISA advisory, individuals or organizations targeted receive demands for payment with a 48-hour response window. If not addressed swiftly, perpetrators may resort to contacting victims directly via phone or email. Additionally, victims’ information appears on a leak site, accompanied by a countdown timer and links to cryptocurrency wallets for payment. To prolong this countdown, victims may pay a fee of $10,000—while Medusa actively advertises the stolen data for sale during this period. This tactic known as “double extortion,” compels victims to pay not only for decryption of their files but also to avert the public release of sensitive information, thereby circumventing any recovery efforts through backups.

First recognized in June 2021, Medusa ransomware has targeted various industries, including healthcare, educational institutions, legal fields, insurance, technology, and manufacturing. The advisory cites that Medusa actors frequently employ phishing attacks and exploit vulnerabilities in unpatched software to steal credentials and breach systems.

While mitigating the Medusa threat involves organizational strategies, individuals can also take proactive measures to safeguard their accounts and, by extension, the security of their companies.

Defensive Strategies Against Medusa Ransomware

The FBI and CISA recommend several measures to enhance device and data security against the Medusa threat:

• Utilize robust, complex passwords with a minimum length of 15 characters for all accounts.

• Enable multi-factor authentication (MFA) wherever feasible, particularly for webmail, VPNs, and accounts linked to critical operations.

• Regularly update operating systems, applications, and firmware to ensure vulnerabilities are promptly patched.

• Employ a VPN when accessing systems remotely to add an additional layer of security.

Furthermore, the advisory extends advice to organizations, recommending actions such as auditing user accounts, maintaining offline backup solutions, implementing network monitoring systems, and moving away from frequent mandatory password updates, which have been deemed outdated and potentially less secure.