FBI Issues ‘Medusa’ Alert As Hackers Target Critical Infrastructure, Extort Victims for Cash

The FBI is issuing an alert over an ongoing ransomware campaign known as “Medusa” that’s hit hundreds of victims.

Medusa is a type of malicious software first discovered in 2021 that encrypts its victims’ files before demanding a ransom in exchange for a decryption key.

Medusa actors typically gain initial access through deceptive phishing emails designed to steal credentials or by exploiting unpatched software vulnerabilities, such as flaws in Microsoft Exchange Server or Fortinet products.

Medusa has left a trail of significant breaches across critical infrastructure sectors. Notable victims include the Minneapolis Public Schools district, which in 2023 saw 92 GB of sensitive student data leaked after refusing to pay a $1 million ransom. Other targets have included cancer centers, British high schools and government entities in places like Tonga, France and the Philippines.

Both the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) are issuing an advisory notice on the spread of Medusa.

“Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing.”

In a statement to Newsweek, CISA said that in one particular case, after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the “true decryptor” in what the agency describes as a potential “triple extortion scheme.”

Speaking to Forbes, Google spokesperson Ross Richendrfer says the most important thing hacking victims can do is act quickly – preferably within Google’s one-week grace period following any recovery phone number change that allows the user to regain control of the account.

Richendrfer recommends that Google users already have a recovery phone number and email attached to their account.

“These can be used in cases where users forget their own passwords [or]if an attacker changes the credentials after hijacking the account…

“When you change your recovery email… you may be able to choose to get sign-in codes sent to your previous recovery email for one week.”

Follow us on X, Facebook and Telegram

Don’t Miss a Beat – Subscribe to get email alerts delivered directly to your inbox

Check Price Action

Surf The Daily Hodl Mix

&nbsp

Disclaimer: Opinions expressed at The Daily Hodl are not investment advice. Investors should do their due diligence before making any high-risk investments in Bitcoin, cryptocurrency or digital assets. Please be advised that your transfers and trades are at your own risk, and any losses you may incur are your responsibility. The Daily Hodl does not recommend the buying or selling of any cryptocurrencies or digital assets, nor is The Daily Hodl an investment advisor. Please note that The Daily Hodl participates in affiliate marketing.

Generated Image: Midjourney

The post FBI Issues ‘Medusa’ Alert As Hackers Target Critical Infrastructure, Extort Victims for Cash appeared first on The Daily Hodl.