The Medusa ransomware gang has attacked over 300 victims in critical infrastructure sectors, according to U.S. cybersecurity agencies. 

An advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) on Wednesday said the group and its affiliates have attacked organizations in the medical, education, legal, insurance, technology and manufacturing industries. 

The ransomware-as-a-service group emerged in June 2021 and continues to cause havoc through relatively basic attacks that start with phishing and exploiting unpatched vulnerabilities. 

The group’s affiliates have been seen exploiting CVE-2024-1709 — a controversial vulnerability impacting the popular ScreenConnect remote access tool — as well as CVE-2023-48788, which affects products from security company Fortinet. 

Medusa — which the FBI said is not the same as the MedusaLocker variant and the Medusa mobile malware variant — initially started as a closed group operated by developers and hackers before expanding to an affiliate model. Ransom negotiations are still controlled by the ransomware gang’s developers but they typically “recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain initial access to potential victims.”

“Potential payments between $100 USD and $1 million USD are offered to these affiliates with the opportunity to work exclusively for Medusa,” the agencies said.

The Medusa ransom note orders victims to contact them within 48 hours. If there is no response, the hackers contact them by phone or email. The gang’s leak site advertises stolen data and offers it to anyone for a price. 

“FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the ‘true decryptor’ — potentially indicating a triple extortion scheme,” the advisory said. 

Medusa drew attention in 2023 for an attack on Minneapolis Public Schools, which exposed troves of sensitive student documents impacting more than 100,000 people. 

In addition to attacks on the Pacific island nation of Tonga, it has targeted municipalities in France and government agencies in the Philippines as well as a technology company created by two of Canada’s largest banks. 

Government bodies in Illinois and Texas have also been affected by the group’s attacks. But one of the group’s most recent claims of an attack on the city of Aurora, Colorado was disputed by local officials in comments to Recorded Future News.