Medusa Ransomware Made 300 Critical Infrastructure Victims

Since June 2021, Medusa ransomware-as-a-service (RaaS) affiliates have hit over 300 critical infrastructure organizations, the US government warns.

Medusa was initially operated as a closed ransomware, and, although it is currently using an affiliate model, ransom negotiations are still conducted by the malware developers, CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) note in a joint alert.

The group engages in double extortion, encrypting victims’ data but also stealing it and threatening to leak it unless a ransom is paid. Medusa’s operators offer payments ranging between $100 and $1 million to affiliates working exclusively for them, the three agencies say.

The group has been observed relying on phishing to steal victims’ credentials, and exploiting unpatched vulnerabilities for initial access, including CVE-2024-1709 (the ’SlashAndGrab’ ScreenConnect flaw) and CVE-2023-48788 (SQL injection bug in Fortinet EMS).

The Medusa ransomware affiliates have been using living-off-the-land (LOTL) and legitimate tools ...