Home Do you use Gmail or Outlook? FBI, CISA issue warning about Medusa ransomware

Do you use Gmail or Outlook? FBI, CISA issue warning about Medusa ransomware

· March 17, 2025 · 0 Comment

Federal authorities are warning users of Gmail, Outlook, and other popular email services about dangerous ransomware linked to a group of developers who have breached hundreds of victims’ data, including people in the medical, education, legal, insurance, tech, and manufacturing fields.

The ransomware variant is called “Medusa,” it was first identified in June 2021, the Cybersecurity and Infrastructure Security Agency (CISA) and FBI announced on March 12.

“This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors,” the agencies said. “These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware.”

As of February 2025, the cyber attacks have impacted more than 300 victims, according to the agencies. The Medusa developers normally recruit access brokers and pay them between $100 and $1 million to work for them, and these affiliates will use common techniques to breach the data of potential victims, such as phishing campaigns and exploiting unpatched software vulnerabilities, the FBI and CISA said.

Here is what to know about the ransomware, including who is allegedly behind the attacks and how people can protect their data.

Need a break? Play the USA TODAY Daily Crossword Puzzle.

What the suds? One man’s laundry hack sparks discourse over detergent measuring cup

Symantec: Group operating ransomware identified as Spearwing

A March 6 blog post by Symantec, a brand of enterprise security software, says a group called Spearwing is operating the ransomware.

“Like the majority of ransomware operators, Spearwing and its affiliates carry out double extortion attacks, stealing victims’ data before encrypting networks in order to increase the pressure on victims to pay a ransom,” Symantec’s blog post says. “If victims refuse to pay, the group threatens to publish the stolen data on their data leaks site.”

According to Symantec, Spearwing has victimized hundreds of people since the group first became active in early 2023. The group has around 400 victims on its data leaks site, and the true number is likely much higher, the blog post says.

The ransoms demanded by Spearwing using the Medusa ransomware have ranged from $100,000 up to $15 million, according to Symantec. In addition to gaining access to victims’ networks, the group is also hijacking legitimate accounts, including those of healthcare organizations, the blog post says.

“In several of the Medusa attacks observed by Symantec it wasn’t possible to definitively determine how the attackers had gained initial access to victims’ networks, meaning an infection vector other than exploits could have been used,” according to the blog post.

How can people protect themselves from Medusa ransomware?

To mitigate Medusa ransomware, the FBI and CISA are recommending that people:

  • Develop a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location. For example, hard drives, storage devices and the cloud.
  • Require all accounts to have password logins. Employees of companies should use long passwords, which should be frequently changed.
  • Require multifactor authentication for all services, particularly for webmail, virtual private networks, and accounts that access critical systems.
  • Make sure all operating systems, software, and firmware are up to date.
  • Segment networks to prevent the spread of ransomware.
  • Identify, detect, and investigate odd activity and potential passage of the indicated ransomware with a networking monitoring tool.
  • Require VPNs or Jump Hosts for remote access.
  • Monitor for unauthorized scanning and access attempts.
  • Filter network traffic by stopping unknown or untrusted origins from accessing remote services on internal systems.
  • Disable unused ports
  • Keep offline backups of data and regularly maintain backup and restoration.
  • Make sure all backup data is encrypted and inflexible.

Jonathan Limehouse covers breaking and trending news for USA TODAY. Reach him at [email protected].

dailynew_thuysan_huy_X_2025

Leave a Reply

Your email address will not be published. Required fields are marked *