Beware: Medusa Ransomware Targets Healthcare Sector

While cybercriminals continue finding new ways to ruin everyone’s day, the FBI has issued an urgent warning about Medusa – a particularly nasty ransomware variant that’s been wreaking havoc since mid-2021. The ransomware gang, completely unrelated to MedusaLocker or that mobile malware thing you might have heard about, has already hit more than 300 victims across critical infrastructure sectors. The group strictly maintains central control over ransom negotiations despite working with affiliates.

Federal protection agencies have been actively monitoring this threat. They’re not picky about who they target – medical facilities, schools, law firms, insurance companies, tech firms, you name it. February 2025 saw a disturbing spike with 33 recorded victims. The attackers primarily focus on high-value sectors including healthcare and manufacturing organizations.

These criminals aren’t exactly subtle about their business model. They’re running a full-fledged Ransomware-as-a-Service operation, recruiting sketchy initial access brokers from the dark corners of cybercriminal forums. And get this – they’re offering anywhere from $100 to $1 million to affiliates who help them break into networks. Talk about a twisted job market.

Their favorite way in? Good old-fashioned phishing emails targeting Gmail and Outlook users. But they’re not above exploiting unpatched software vulnerabilities or stealing Remote Desktop Protocol credentials either. A recent attack on Toyota Financial Services resulted in an 8 million dollar ransom demand, showcasing their ambitious targeting strategy.

Like a burglar with multiple lockpicks, Medusa’s hackers slip in through phishing, software holes, and stolen remote access credentials.

Once inside, they go to town with legitimate Windows tools – because why bring your own malware when the target’s own system works just fine?

The real kicker is their encryption process. They lock up files with AES-256 encryption, slap a “.medusa” extension on everything, and drop their charming little ransom note: “!!read_me_medusa!!.txt”. Oh, and if victims need more time to panic about paying up, they can shell out $10,000 for an extra 24 hours. How thoughtful.

These folks are clever about covering their tracks, too. They delete PowerShell histories, disable security software, and use all sorts of tricks to avoid detection. They’re big fans of spreading through networks using legitimate software deployment tools – PDQ Deploy, BigFix, you get the picture.

And they’re persistent, setting up malicious scheduled tasks that run every 15 minutes.

The FBI’s warning isn’t just about awareness – it’s a wake-up call. This group has hit hundreds of organizations, stealing sensitive data and threatening to auction it off on their leak site if victims don’t pay up.

It’s a double-extortion scheme that’s proving frighteningly effective. And with their network of affiliates growing, Medusa’s showing no signs of slowing down. Just another day in the wonderful world of cybercrime.