Stay on high alert for Medusa ransomware, according to a recent cybersecurity advisory.

Reflecting the seriousness of the threat, this joint warning comes from the Federal Bureau of Investigation (FBI), the Cybersecurity & Infrastructure Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

In March 2025, the group announced the alert as part of the ongoing #StopRansomware campaign. However, Medusa ransomware isn’t an entirely new type of cybersecurity threat.

First surfacing in mid-2021, the Medusa ransomware gang operates using a ransomware-as-a-service (RaaS) model. Its developers recruit affiliate partners to conduct the actual attacks, which in turn broaden the reach. As the advisory warns, attackers use a “double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.”

Attackers typically publish victim names and timers on dedicated leak sites on the dark web, offering to sell the stolen data before the deadline expires.

Medusa ransomware exerts immense pressure on victims, particularly those in critical sectors such as healthcare, education, and manufacturing, which are often frequent targets. Attackers know that organizations in these industries hold vast amounts of sensitive information and would do anything to protect it.

And these attacks are only growing more common: Medusa ransomware activity nearly doubled year-over-year in January and February 2025.

FBI, CISA: Over 300 Organizations Impacted by Medusa

Medusa ransomware attackers have breached over 300 organizations as of February 2025, the advisory states.

Affiliates typically gain initial access through common but effective methods, including phishing attacks designed to steal user credentials and exploiting unpatched software vulnerabilities in applications.

Once inside a network, the attackers don’t stop there. The advisory notes that attackers employ ‘living off the land’ (LoTL) techniques, using legitimate system tools like PowerShell and Windows Management Instrumentation (WMI), along with common IT software, to blend in.

Attackers actively work to disable security software, sometimes using sophisticated ‘Bring Your Own Vulnerable Driver’ (BYOVD) tactics.

In addition, they steal credentials using tools like Mimikatz, move laterally across the network using protocols like Remote Desktop Protocol (RDP), exfiltrate sensitive data, and ultimately deploy the ransomware to encrypt systems after deleting backups.

Medusa Ransomware Examples: Recent Attacks

Don’t assume the FBI and CISA’s warning is just theoretical. In recent months, several incidents have highlighted Medusa ransomware’s impact across various sectors.

Here are a few Medusa ransomware examples for you to understand the scope of this attack type.

NASCAR (April 2025)

Hackers took aim at NASCAR, the governing body for U.S. stock car racing, in a ransomware attack demanding a $4 million ransom.

NASCAR appeared on a Medusa ransomware gang’s dark web leak site, according to Hackread, with a threat to release internal data. Attackers posted dozens of images displaying documents to prove the legitimacy of their attack, and some of the materials displayed credential-related information.

By the way, this wasn’t NASCAR’s first time falling victim to a ransomware attack.

HCRG Care Group (February 2025)

Taking aim at the healthcare industry, the Medusa ransomware gang stole 2.275TB of data from health and social services provider HCRG Care Group.

Attackers demanded $2 million in exchange for not releasing data covering medical and financial records, or $10,000 per day to delay the release while negotiations continued.

Tarrant County, Texas (March 2024)

In Texas, the Tarrant County Appraisal District — used by both property owners and real estate agents in the Fort Worth area — had nearly 218GB stolen. The ransom? $100,000 to be paid within just six days.

County officials wouldn’t comment on whether it would pay the ransom, but more than two weeks went by with operations still impacted.

Toyota Financial Services (November 2023)

Toyota Financial Services, a division of the global automaker, faced a whopping $8 million demand after the Medusa ransomware gang accessed systems in Central Europe.

Attackers obtained “financial documents, spreadsheets, purchase invoices, hashed account passwords, cleartext user IDs and passwords, agreements, passport scans, internal organization charts, financial performance reports, staff email addresses, and more,” according to BleepingComputer’s report.

Mitigation Strategies to Stop Medusa Ransomware

CISOs, IT leaders, and their teams must pay attention to Medusa ransomware. As artificial intelligence (AI) continues to reshape AI phishing, attacks will only grow more sophisticated and frequent.

In the advisory, the FBI, CISA, and MS-ISAC provide several recommendations to improve security posture in the face of these attacks, including filtering network traffic, maintaining offline backups, and staying on top of timely patching.

Yet there are two more mitigation strategies to call out that the advisory doesn’t explicitly mention: security awareness training and phishing simulations.

Security awareness training

Given that the Medusa ransomware gang frequently gains entry via phishing, as highlighted by the advisory, security awareness training is a direct countermeasure. But it needs to be more than a yearly formality.

Effective training to stop Medusa ransomware should focus on equipping employees to spot red flags. This includes recognizing urgent or unusual requests, examining communication sources and content, and reporting any suspicious activity.

The goal is to build a human firewall, and informed employees who understand the tactics used by threats like Medusa provide an important layer of defense that technology alone just can’t achieve.

Phishing simulations

Training imparts knowledge. Phishing simulations, on the other hand, offer the practical reinforcement necessary to embed secure behaviors — they’re the testing round for awareness.

Running regular, realistic simulations allows employees to practice identifying and reporting potential threats in a safe environment. With a next-generation platform like Adaptive Security, your phishing simulations are tailored to mimic the types of lures Medusa affiliates use, making the practice incredibly relevant.

Analyzing the results of these phishing simulations provides invaluable insights. It helps pinpoint individuals or teams needing more focused training and guides continuous improvement, all before a Medusa ransomware attack achieves success.

Start Preparing Employees with Security Awareness Training

Technology alone isn’t enough, so the human element is critical. As the advisory notes, the Medusa ransomware gang often gains its initial foothold through phishing and related social engineering tactics, highlighting the role employees play as a line of defense.

Preparing your workforce to recognize and respond to threats is a huge part of a resilient cybersecurity strategy.

Adaptive’s platform, for example, provides engaging, relevant content and runs sophisticated, real-world phishing simulations designed to build lasting security habits and measurably reduce risk within your organization.

‍Fortify your human defenses and take security awareness training to the next level with Adaptive — get a demo.