As of February 2025, the Medusa ransomware gang has successfully attacked over 300 organizations in critical infrastructure sectors worldwide. Security researchers tracking the group confirm that its primary targets include energy providers, healthcare institutions, and public service organizations, significantly disrupting essential services.
Medusa operates a double-extortion model, exfiltrating sensitive data before encrypting systems and threatening public leaks unless a ransom is paid. The gang has also expanded its arsenal, exploiting newly disclosed vulnerabilities in enterprise software, such as VMware ESXi (CVE-2024-3400) and Fortinet FortiOS (CVE-2024-4512). Its tactics now involve initial access through compromised remote desktop protocols (RDP) and phishing attacks targeting IT administrators.
Despite global law enforcement efforts, Medusa continues to thrive, leveraging cryptocurrency laundering techniques and affiliate partnerships to distribute attacks at scale. The group has increased its ransom demands, often exceeding $1 million per victim, placing additional pressure on targeted organizations.
Expert Analysis:
Medusa’s persistent targeting of critical infrastructure signals a shift from financially motivated ransomware towards operations with broader geopolitical and economic consequences. The sheer number of victims within essential service sectors raises concerns about whether this group is acting purely for profit or if state-backed entities are exploiting its operations for strategic disruption.
Read the full article here.
