FBI Warns Users of Medusa Ransomware Threats Amid Ongoing Attacks

DENVER, Colorado — The Federal Bureau of Investigation has issued a stark warning regarding the ongoing threats posed by the Medusa ransomware gang. As of March 12, 2025, the FBI highlighted the urgent need for users of webmail services and virtual private networks to implement strengthened security measures to counteract the ransomware attacks, which have targeted over 300 victims in various critical sectors since their emergence in mid-2021.

The Medusa ransomware group, known for its advanced tactics, employs a combination of social engineering and exploitation of unpatched software vulnerabilities. Tim Morris, chief security advisor at Tanium, emphasized the importance of these measures, stating, “Medusa is an apt name for this attack, considering its multi-faceted and far-reaching impacts on various industries.” He added that organizations must understand their digital environments and implement layered defenses against such threats.

According to the FBI’s advisory, issued in partnership with the U.S. Cybersecurity and Infrastructure Security Agency, users are urged to enable two-factor authentication for Gmail, Outlook, and VPNs immediately. This recommendation forms part of a broader strategy to combat the exploitation tactics of the Medusa group, which has been involved in a double extortion model—encrypting victim data while threatening to release sensitive information publicly if the ransom is not paid.

Jon Miller, CEO of Halcyon, noted the vulnerabilities of critical infrastructure entities, saying, “These groups exploit security gaps, leveraging vulnerabilities to move laterally, escalate privileges, and exfiltrate sensitive data.” Furthermore, Miller detailed the offensive strategies employed by Medusa, which include executing encrypted commands to avoid detection and using legitimate remote access software to spread across networks.

As part of their operational disruption strategies, Medusa is capable of terminating more than 200 Windows services—targeting security software among them. To complicate data recovery efforts, the ransomware employs methods like deleting Volume Shadow Copies and disabling backup systems. Miller highlighted that effective defenses are essential to mitigate such attacks without resorting to payments.

Dan Lattimer, an associate vice president at Semperis, advised organizations to improve operational resilience by deploying software patches and segmenting networks. “Defenders have their hands full tackling the presence of Medusa,” Lattimer remarked, underlining the importance of a proactive stance against cybersecurity threats.

Despite the FBI’s recommendations, some experts have critiqued the advice for insufficiently addressing the role of social engineering. Roger Grimes, a data-driven defense advocate at KnowBe4, argued that 70 to 90 percent of successful hacks utilize social engineering, yet this method was not emphasized in the FBI’s mitigation strategies. Grimes lamented, “It’s like learning that criminals are breaking into your house all the time through the windows and then recommending more locks for the doors.” His perspective sheds light on the potential disconnect between recommended defenses and the actual tactics used by attackers.

The FBI continues to advise against paying ransoms, noting that many victims who comply do not receive functional decryption keys, with reports indicating that 35% of those who paid experienced incomplete recovery. This highlights the precarious position organizations find themselves in when threatened by ransomware actors.

As a further precaution, the FBI warned against new scams involving free online document converters that could harbor malware. Users are encouraged to utilize only reputable tools for document conversion to minimize risks. Mark Michalek, special agent in charge of the FBI Denver field office, stated, “The best way to thwart these fraudsters is to educate people so they don’t fall victim to these fraudsters in the first place.”

The Medusa ransomware threat represents a significant challenge for organizations across multiple sectors, necessitating swift and effective countermeasures to safeguard sensitive information and operational integrity.