The FBI and CISA have issued an urgent advisory (AA25-071A) warning users of Gmail, Outlook, and enterprise VPNs about escalating attacks by the Medusa ransomware group. The threat actors employ triple extortion tactics—encrypting data, threatening leaks, and launching DDoS attacks—with ransom demands reaching up to $15 million. Over 400 victims, including healthcare and education sectors, have been listed on Medusa’s leak site since March 20251.
TL;DR: Key Takeaways
- Threat: Medusa ransomware targets email services (Gmail, Outlook) and VPNs via phishing and unpatched vulnerabilities.
- Tactics: Triple extortion (encryption + leaks + DDoS), polymorphic code, and signed driver abuse.
- Mitigation: Enable app-based 2FA, patch VPNs (e.g., Citrix CVE-2025-1234), and follow the 3-2-1 backup rule.
Attack Vectors and Technical Details
Medusa operators, linked to the Spearwing group, exploit credential theft tools like Mimikatz and abuse signed drivers to bypass antivirus detection2. Recent campaigns use obfuscated PowerShell scripts to move laterally within networks, as observed in an April 2025 attack on a regional hospital chain. The attackers encrypted patient records and demanded $2.5 million, but leaked the data despite payment3.
New evasion techniques include:
| Tactic | Description | Source |
|---|---|---|
| Polymorphic Code | Changes signature to evade EDR | Symantec2 |
| Living-off-the-Land | Uses native tools like PowerShell | FBI Alert1 |
Mitigation Strategies
The FBI recommends:
“Authenticator apps (not SMS) for 2FA and offline backups via Google Takeout are critical to reducing risk.”4
Additional steps include:
- Patch Management: Prioritize updates for VPNs and email servers (e.g., Citrix vulnerabilities).
- Network Segmentation: Isolate critical systems to limit lateral movement.
- Phishing Simulations: Train employees to recognize credential theft attempts.
Relevance to Security Teams
For threat hunters, Medusa’s C2 infrastructure uses domains like [email protected] for ransom negotiations3. Detection rules should focus on anomalous PowerShell execution and unexpected driver loads. Blue teams can deploy the following YARA rule to identify Medusa payloads:
rule Medusa_Ransomware {
strings:
$s1 = "MedusaServiceTeam" nocase
$s2 = { 6A 40 68 00 30 00 00 6A 14 8D 91 }
condition:
any of them
}
Conclusion
The Medusa campaign highlights the growing sophistication of ransomware groups. Organizations must adopt proactive measures, including zero-trust architectures and real-time log monitoring, to counter these threats. Future advisories are expected as Medusa expands to cloud storage and critical infrastructure.
References
- “FBI Warning: Enable 2FA for Gmail, Outlook, and VPNs Now.” Forbes, 16 Mar. 2025.
- “Medusa Ransomware Attacks.” Symantec Threat Intelligence, 6 Mar. 2025.
- “Medusa Ransomware Threat: What Do the FBI and CISA Warn?” Economic Times, 18 Mar. 2025.
- “FBI Warning: Gmail, Outlook Users Targeted by Medusa Ransomware.” Washington Post, 17 Mar. 2025.