Medusa Ransomware Attacks Escalate, Targeting Hundreds of Organizations Nationwide Federal authorities, including the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), have issued a warning about the growing threat of Medusa ransomware, a sophisticated cyberattack campaign that has compromised over 400 victims across sectors including healthcare, education, legal, insurance, technology, and manufacturing. The attacks, active since 2021, follow a double-extortion model: threat actors encrypt victims’ systems, exfiltrate sensitive data, and publicly leak samples to pressure targets into paying ransoms. Victims receive a 48-hour ultimatum via a ransom note, often followed by direct contact from attackers via phone or email. Demands range from $100,000 to $15 million, with an additional $10,000 cryptocurrency fee to extend the countdown timer. In some cases, attackers have employed triple extortion, demanding a second payment after claiming the initial ransom was stolen by a rogue negotiator. The Medusa operation has evolved into an affiliate-based model, where independent cybercriminals deploy the ransomware while core developers retain control over negotiations. Attackers gain initial access by purchasing stolen credentials from dark web marketplaces or through phishing schemes, then exploit vulnerabilities in unpatched systems. Once inside, they encrypt data and post ransom demands on a dedicated leak site, providing direct links to cryptocurrency wallets. Connecticut has seen a sharp rise in ransomware incidents, with 861 reported in 2024 up from 644 in 2023 and 562 in 2022. Since August 2021, the state has logged 2,278 attacks, including high-profile breaches at Prospect Medical Holdings (2023) and Subway (2024). While federal investigators have not named specific suspects, a group called Spearwing has claimed responsibility for some attacks, while Inc Ransom was linked to the Subway breach. Authorities emphasize that no sector is immune, though larger organizations including municipalities, corporations, and critical infrastructure remain primary targets. The FBI and CISA recommend offline backups, multifactor authentication, and regular software updates as key defenses, though they note that even prepared entities can fall victim to evolving tactics. The Medusa campaign underscores the expanding reach of ransomware-as-a-service (RaaS), where sophisticated tools are leased to less-skilled criminals, amplifying the scale and frequency of attacks. With no signs of slowing, the threat continues to disrupt operations, extract millions in ransoms, and expose sensitive data across industries.