Medusa Ransomware
What is Medusa Ransomware?
Medusa RansomwareA ransomware-as-a-service operation active since 2021 that uses double extortion, a public 'Medusa Blog' leak site, and frequently targets healthcare and education.
Medusa, distinct from the older MedusaLocker, surfaced in mid-2021 and matured into a high-profile ransomware-as-a-service brand by 2023. CISA and the FBI issued joint advisory AA25-071A in March 2025, stating Medusa affiliates had impacted more than 300 organizations across critical-infrastructure sectors, including healthcare, education, and manufacturing. Operators rely on initial access brokers, phishing, and exploitation of internet-facing vulnerabilities such as Microsoft Exchange ProxyShell (CVE-2021-31207). They steal data, encrypt with AES-256, and apply triple-extortion tactics: public leak site, ransom demand, and threats of resale. A notable victim was Minneapolis Public Schools in early 2023, after which 200,000 student records were dumped publicly.
● Examples
- 01
March 2025 CISA advisory AA25-071A attributing 300+ victims across critical infrastructure to Medusa.
- 02
2023 Minneapolis Public Schools breach in which Medusa leaked sensitive student data.
● Frequently asked questions
What is Medusa Ransomware?
A ransomware-as-a-service operation active since 2021 that uses double extortion, a public 'Medusa Blog' leak site, and frequently targets healthcare and education. It belongs to the Malware category of cybersecurity.
What does Medusa Ransomware mean?
A ransomware-as-a-service operation active since 2021 that uses double extortion, a public 'Medusa Blog' leak site, and frequently targets healthcare and education.
How does Medusa Ransomware work?
Medusa, distinct from the older MedusaLocker, surfaced in mid-2021 and matured into a high-profile ransomware-as-a-service brand by 2023. CISA and the FBI issued joint advisory AA25-071A in March 2025, stating Medusa affiliates had impacted more than 300 organizations across critical-infrastructure sectors, including healthcare, education, and manufacturing. Operators rely on initial access brokers, phishing, and exploitation of internet-facing vulnerabilities such as Microsoft Exchange ProxyShell (CVE-2021-31207). They steal data, encrypt with AES-256, and apply triple-extortion tactics: public leak site, ransom demand, and threats of resale. A notable victim was Minneapolis Public Schools in early 2023, after which 200,000 student records were dumped publicly.
How do you defend against Medusa Ransomware?
Defences for Medusa Ransomware typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Medusa Ransomware?
Common alternative names include: Medusa, Medusa Blog.
● Related terms
- malware№ 900
Ransomware
Malware that encrypts a victim's data or locks systems and demands payment in exchange for restoring access.
- malware№ 902
Ransomware-as-a-Service (RaaS)
A criminal business model in which ransomware operators rent their malware and infrastructure to affiliates who carry out attacks and share the proceeds.
- defense-ops№ 536
Initial Access Broker (IAB)
A cybercrime specialist who obtains unauthorised access to corporate networks and sells that access to other criminals, especially ransomware affiliates.
- vulnerabilities№ 874
ProxyShell
A 2021 exploit chain in Microsoft Exchange Server (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) that combined three flaws into unauthenticated remote code execution.