The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning about a growing ransomware threat called Medusa. The ransomware-as-a-service software has been active since 2021, but recent attacks have affected hundreds of victims across multiple industries.

“Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021,” CISA said in a press release. “As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing. The Medusa ransomware variant is unrelated to the MedusaLocker variant and the Medusa mobile malware variant per the FBI’s investigation.

“FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents.”

Medusa primarily spreads through phishing campaigns, tricking users into revealing their login credentials. Once inside a system, attackers use a double extortion tactic — encrypting files and threatening to leak stolen data if a ransom isn’t paid. A data leak site run by Medusa operators displays victim names alongside countdowns for public release. Victims can delay the exposure by paying $10,000 in cryptocurrency per day.

Officials recommend several protective measures, including keeping systems updated, enabling multi-factor authentication for services like email and VPNs, and using long passwords. They also warn against frequent password changes, which can weaken security.

“The RaaS Medusa variant has been used to conduct ransomware attacks from 2021 to present,” CISA said. “Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors. While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers.

“Both Medusa developers and affiliates—referred to as ‘Medusa actors’ in this advisory—employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.”