Last month, CISA and the FBI issued another joint alert warning that victims from multiple industry sectors across over 70 countries, including critical infrastructure, have been breached in Ghost ransomware attacks. "As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing," CISA, the FBI, and MS-ISAC warned on Wednesday. Medusa ransomware surfaced almost four years ago, in January 2021, but the gang's activity only picked up two years later, in 2023, when it launched the Medusa Blog leak site to pressure victims into paying ransoms using stolen data as leverage. It's also important to note that multiple malware families and cybercrime operations call themselves Medusa, including a Mirai-based botnet with ransomware capabilities and an Android malware-as-a-service (MaaS) operation discovered in 2020 (also known as TangleBot). CISA says the Medusa ransomware operation has impacted over 300 organizations in critical infrastructure sectors in the United States until last month. Although Medusa has since evolved into a Ransomware-as-a-service (RaaS) operation and adopted an affiliate model, its developers continue to oversee essential operations, including ransom negotiations. The group also leaked files allegedly stolen from Toyota Financial Services, a subsidiary of Toyota Motor Corporation, on its dark extortion portal in November 2023 after the company refused to pay an $8 million ransom demand and notified customers of a data breach. Due to this commonly used name, there's also been some confusing reporting about Medusa ransomware, with many thinking it's the same as the widely known MedusaLocker ransomware operation, although they're entirely different operations. Since it emerged, the gang has claimed over 400 victims worldwide and gained media attention in March 2023 after claiming responsibility for an attack on the Minneapolis Public Schools (MPS) district and sharing a video of the stolen data. Medusa was first introduced as a closed ransomware variant, where a single group of threat actors handled all development and operations.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 12 Mar 2025 19:30:18 +0000