Federal officials are sounding the alarm about the Medusa ransomware attacks, which have become increasingly common since they first emerged in June 2021. Targeting various sectors including medical, education, legal, insurance, technology, and manufacturing, this sophisticated ransomware scheme is now being used by cybercriminals to steal sensitive information and extort money from victims. According to the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA), the Medusa ransomware system has affected hundreds of individuals and organizations nationwide.
Recent advisories, issued on March 12, 2025, report the alarming spread of the Medusa ransomware, with over 300 victims identified, particularly within Connecticut. The warning highlights the fact these attacks have escalated since 2021, as even small towns are now being targeted. CISA's advisory points out, "Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors. While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers." This shift has allowed diverse affiliates to deploy ransomware attacks, thereby increasing the number of victims.
Investigation shows the attackers are purchasing credentials on the dark web, allowing them to prey on unsuspecting individuals and organizations. The Medusa ransomware allows for double extortion attacks — encrypting victims' data and threatening to publicly release information if the ransom is not paid. Typically, victims receive ransom demands through untraceable methods, including email or phone calls directly from the ransomers.
Every ransom note also includes the option to extend the countdown timer for paying the ransom by making additional payments of $10,000 worth of cryptocurrency. “Victims can add extra days to the countdown timer,” CISA stated. “If the victim does not respond within the stipulated time, Medusa actors may reach out to them directly through alternate means.”
FBI investigations have revealed disturbing patterns, including cases where victims have paid the recommended ransom only to be contacted later by another Medusa actor who demanded even more payment, alleging the negotiation had been hijacked. Such tactics suggest the potential emergence of triple extortion schemes within this nefarious network.
The data concerning ransomware attacks across the state of Connecticut paints a grim picture. Since August 2021, the state Attorney General’s Office reported 2,278 ransomware incidents, with 151 occurring just since the beginning of 2025. That marks a significant increase compared to previous years — there were 861 attacks reported during 2024, 644 the year before, and just 562 attacks reported for 2022. A particularly notable incident took place when Glastonbury-based FinalSite suffered a massive attack, causing 5,000 public schools’ websites to go offline. This incident exemplifies how deeply such attacks can disrupt education and public services.
Notably, hospitals owned by Prospect Medical Holdings saw outpatient services shut down due to ransomware attacks, and companies like Xerox and Subway also faced similar incidents, illustrating the broad range of targets included. A cybersecurity developer, Symantec, claims the group responsible for the Medusa attacks goes by the name Spearwing. This group allegedly has made ransom demands ranging from $100,000 to $15 million, reflecting the varied scales of attack.
How can individuals and organizations protect themselves from increasingly sophisticated ransomware threats? Experts advise being proactive. Federal agencies recommend users educate themselves on phishing scams, avoid suspicious emails and links, and implement basic cybersecurity measures. CISA and the FBI have released guides detailing prevention strategies which advocate for establishing multifactor authentication systems, regularly updating software and security systems, and creating offline backups of sensitive data.
“Having multiple copies of sensitive or proprietary data securely stored is important,” Cybersecurity officials highlight. “Employees should be trained to use long passwords and utilize multifactor authentication for important accounts and systems.” Organizations, especially those managing sensitive client information, must report cyberattacks to the state Attorney General’s Office immediately to adhere to state regulations.
The Medusa ransomware, particularly through its RaaS (ransomware-as-a-service) model, exemplifies the dire vulnerabilities present within web service infrastructures today. Federal authorities remain vigilant, continuing their investigations to keep pace with the rapidly changing tactics of cybercriminals. The situation highlights the necessity for continuous adaptation to counter sophisticated attacks, and businesses of all sizes must remain alert to potential threats.
With these increasing threats of ransomware attacks, vigilance and education remain the best defenses against future incidents. Cybersecurity experts and authorities urge everyone to be mindful of their online practices and report suspicious activity immediately to help mitigate risks associated with these rampant attacks.