FBI Alerts Users to Urgent Medusa Ransomware Threats

DENVER, Colo. — The Federal Bureau of Investigation has issued an urgent warning regarding the persistent Medusa ransomware attacks, affecting various sectors including healthcare, education, and manufacturing. This advisory follows new insights into the ransomware’s tactics and a recent joint alert with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) dated March 12, 2025.

Since its emergence in June 2021, the Medusa ransomware group has targeted over 300 victims, utilizing both social engineering and unpatched software vulnerabilities. The FBI has stated that these tactics have evolved, leading to real-time threats against critical infrastructure, prompting the need for immediate action from all organizations.

The FBI’s recent alert emphasizes enabling two-factor authentication (2FA) for webmail services such as Gmail and Outlook, as well as for Virtual Private Networks (VPNs). “Enabling 2FA is a critical step in protecting sensitive data from ransomware attacks,” the FBI stated in their advisory.

According to Tim Morris, chief security advisor at Tanium, the multifaceted nature of Medusa’s attacks demands that organizations adopt comprehensive security measures. “Medusa is an apt name for this attack, considering its multi-faceted impacts on various industries,” Morris explained. He urged organizations to manage their assets properly and implement robust defenses to mitigate risks.

Jon Miller, CEO of Halcyon, further highlighted the group’s targeting of critical infrastructure entities, asserting that “Ransomware operators like Medusa focus on gaining leverage to extort organizations.” He emphasized how the group exploits security gaps to escalate privileges and exfiltrate sensitive data.

The Medusa group’s tactics include executing encrypted commands via PowerShell to avoid detection and employing tools like Mimikatz to access credentials. “Once inside a network, Medusa utilizes sophisticated strategies to maximize impact,” Miller stated, adding that these measures can terminate over 200 Windows services and disrupt security software.

Miller stressed the importance of fortifying defenses to resist ransomware attacks, pointing out that organizations should prepare to withstand attacks without relying solely on ransom payments or backups: “Eliminating the incentive to pay is crucial in disrupting the ransomware industry’s financial model.”

In addition to the FBI’s recommendations, Dan Lattimer from Semperis noted the high persistence of the Medusa ransomware. “Defenders must tackle the presence of Medusa and deploy recommended mitigations such as software patches and network segmentation,” Lattimer advised. He warned that the assumption of a breach could shift focus from solely preventing breaches to efficiently detecting and responding once a breach occurs.

Challenges also arise from how organizations perceive security training; Roger Grimes from KnowBe4 raised concerns over the lack of emphasis on training to combat social engineering tactics in the FBI’s advisory. Grimes remarked, “It’s like learning that criminals are breaking into your house all the time through the windows and then recommending more locks for the doors.”

Despite the ongoing threat, the FBI has consistently advised against paying ransoms. Lattimer cited recent research indicating that 75% of organizations have faced multiple ransomware attacks in the past year, with many opting to pay ransoms without assured recovery of their data. “Paying ransoms should only be considered in life-and-death situations,” he stated.

This advisory comes as the FBI’s Denver Field Office has also warned users of a newly uncovered scam involving free document conversion tools that can lead to ransomware attacks. Special Agent Mark Michalek stressed the importance of using reputable services to prevent malware infiltration.

The FBI and CISA have advised all users to adopt long, unique passwords and enable multifactor authentication across all accounts. Keeping operating systems and applications up to date is also imperative to mitigate risks associated with ransomware and other cyber threats.