
Image credit: teiss
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) has warned the general public of an ongoing trend of Medusa ransomware attacks which has affected at least 300 victims from the critical infrastructure sector.
Attackers leverage methodologies such as social engineering and unpatched software vulnerabilities.
Rise of Medusa Ransomware Group
Medusa ransomware attacks increased by 42% from 2023 to 2024 and continue to rise in 2025.
In January and February 2025, Medusa attacks nearly doubled compared to the same period in 2024.
The group’s growth is linked to the decline of major ransomware gangs like Noberus and LockBit due to law enforcement crackdowns, allowing Medusa to expand.
Do not pay the ransom
The FBI has previously warned that victims of ransomware should not pay the ransom demanded.
Paying ransoms does not guarantee a return to normal business operations. In fact, ransom payments decreased by 35% in 2024.
A recent ransomware analysis from Semperis revealed that most ransomware attacks are not a one-time thing.
While 83% of responding organizations were victims of a ransomware attack in the past 12 months, 74% were attacked multiple times.
On top of that, 78% of victims paid ransom while 35% of victims failed to receive decryption keys or were unable to recover their files and assets.
FBI and CISA Recommendations
To reduce the risk of Medusa ransomware attacks, the FBI and CISA recommend:
- Enable two-factor authentication (2FA) for all services, especially webmail (Gmail, Outlook), VPNs, and critical system accounts.
- Use long, strong passwords for all accounts and avoid frequent mandatory password changes.
- Store multiple copies of important data in a separate, secure location.
- Keep all software, operating systems, and firmware updated, focusing on patching known vulnerabilities.
- Use network monitoring tools to detect unusual activity or ransomware movement.
- Watch for unauthorized scanning and access attempts.
- Block network traffic from unknown or untrusted sources to protect internal systems.
- Audit admin accounts and apply strict access controls based on the principle of least privilege.
- Disable command-line and scripting tools where not needed.
- Close unused ports to reduce entry points for attackers.