CISA Issues Advisory on Medusa Ransomware as Over 300 Critical Infrastructure Entities Suffer Attacks
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a cybersecurity advisory on Mar. 12, 2025, warning that the Medusa ransomware has compromised over 300 critical infrastructure entities across the United States, just as of February of this year. The joint alert has been published in collaboration with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
TechMonitor detailed the alert in a recent article. According to TechMonitor, The advisory, published as part of the “#StopRansomware: Medusa Ransomware” initiative, provides details on the tactics, techniques, and procedures (TTPs) used by Medusa ransomware actors, along with indicators of compromise (IOCs) and detection methods. CISA noted that Medusa, which operates as a Ransomware-as-a-Service (RaaS) variant, has targeted entities across different industries including healthcare, education, legal, insurance, technology, and manufacturing.
According to CISA’s alert, The RaaS Medusa variant has been used to conduct ransomware attacks from 2021 to present. Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors. While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers. Both Medusa developers and affiliates—referred to as “Medusa actors” in this advisory—employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.
“CISA encourages network defenders to review the advisory and implement the recommended mitigations to reduce the likelihood and impact of Medusa ransomware incidents,” the agency said.
