More than 300 organizations in critical infrastructure, including the medical, tech, and manufacturing sectors, have been victimized by a ransomware threat known as Medusa—and with attacks escalating significantly in the first few months of 2025, the FBI and the Cybersecurity and Infrastructure Agency (CISA) are advising companies to take steps now to secure their systems.
What is Medusa ransomware?
Medusa is a ransomware-as-a-service software that, when deployed successfully, encrypts your data along with a threat to release stolen information unless you comply with ransom demands.
According to the CISA advisory , victims receive ransom notes requesting a response within 48 hours, or Medusa actors will reach out to them by phone or email. Victims are also listed on a data-leak website alongside a countdown timer and ransom demands with direct links to cryptocurrency wallets. Victims can pay $10,000 to add a day to the countdown—meanwhile, Medusa advertises the data for sale before the timer runs out. This “double extortion” approach forces payment to both decrypt locked files and prevent them from being released or sold (so even if you have a backup you can recover, you still face the threat of information being leaked).
The Medusa ransomware was first identified in June 2021 and has since affected organizations across the medical, education, legal, insurance, technology, and manufacturing industries. According to the advisory, Medusa actors use common tricks like phishing campaigns and exploitation of unpatched software vulnerabilities to steal victims’ credentials and gain access to their systems.
While much of the Medusa threat mitigation happens at the organizational level, there are a few things you as an individual can do to protect your accounts and—by extension—the company you work for.
How to protect yourself from Medusa ransomware
The FBI and CISA are recommending a number of steps to lock down your devices and data against the Medusa threat:
-
Use long, strong passwords for all accounts (a minimum of 15 characters is recommended).
-
Enable multi-factor authentication (MFA) wherever possible, but especially for webmail, VPNs, and accounts with access to critical systems.
-
Update operating systems, software, and firmware regularly to ensure timely patching of known vulnerabilities.
-
Use a VPN when accessing systems remotely.
The advisory also has guidance for organizations, such as auditing user accounts, maintaining offline backups, utilizing network monitoring tools, and discontinuing frequent mandatory password changes (which are considered outdated and may make systems less secure, not more).
