Menu
Browse

Cyber Threat Actor: Medusa Ransomware

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Crime Syndicate
Russia
26 incidents
Profile

Medusa ransomware, also tracked under the aliases Medusa and MedusaLocker, is a financially motivated cybercriminal group that has been publicly linked to Russia in open‑source reporting. Open sources describe the operation as a ransomware‑as‑a‑service (RaaS) model in which affiliates receive roughly sixty percent of ransom payments while the core group retains the remainder, a structure noted in a joint CISA‑Treasury‑FinCEN advisory. The group’s primary objective appears to be monetary gain through ransom demands coupled with the threat of publishing stolen data, a double‑extortion approach observed across multiple victim notifications. Targeting has been observed across a broad range of sectors including healthcare, education, government, finance, manufacturing, water utilities, logistics and retail, with victims located in the United States, United Kingdom, Australia, France, Italy, Chile, Argentina, Brazil and Colombia, indicating a geographically diverse focus that aligns with the group’s advertised activity in the Pacific region as the second‑most active cyber extortion group there.

Observed tactics, techniques and procedures include the exploitation of vulnerable Remote Desktop Protocol services, phishing emails and the use of PowerShell scripts to gain initial access, as noted in analyses of MedusaLocker infections. Once inside a network, the actors have been seen employing legitimate system tools to evade detection, disabling Microsoft Defender and establishing persistence mechanisms. The ransomware payload encrypts files while simultaneously exfiltrating data, after which the group publishes samples on a dedicated leak blog or Telegram channel and offers victims options such as paying a fee to extend the deletion deadline or paying a larger sum to delete or download the stolen data. Ransom amounts cited in public reports range from several thousand dollars to multi‑million‑dollar demands, with the group sometimes offering tiered pricing for delay or deletion options.

Representative incidents illustrate the group’s reach and impact. In February 2025, Medusa claimed a ransomware attack on Bell Ambulance in the United States that exposed personal, financial, medical and health‑insurance data of roughly 238 000 individuals. The same month, the UK‑based HCRG Care Group reported a Medusa‑linked breach involving 2.275 terabytes of sensitive files, including passport scans and staff records, accompanied by a $2 million ransom demand. Earlier in 2025, the Australian manufacturer Natures Organics disclosed a Medusa intrusion that exfiltrated approximately 143 gigabytes of employee identification, banking and payroll data, with a $150 000 extortion demand. Other notable cases include the encryption and data theft at the Royal Brighton Yacht Club in Australia, the disruption of Solano County Library services in the United States, the ransomware‑induced outage at Italian water supplier Alto Calore Servizi, and the claimed breach of Toyota Financial Services Europe & Africa where an $8 million ransom was alleged. Additional publicly reported operations involve the Colombian SECOP II procurement platform, Argentina’s INTA agricultural agency, Brazil’s LISA logistics firm, Chile’s SONDA IT multinational, Chile’s AhorroCoop savings cooperative, the Crown Princess Mary Cancer Centre in Australia, and multiple U.S. school districts such as Pineland Schools and Uniondale Union Free School District. These examples demonstrate the group’s repeated use of data theft and public leak threats to pressure victims into payment.

Attribution beyond the noted Russian location and the RaaS affiliation described in official advisories has not been established in the source material; no state sponsorship or broader criminal consortium linkages are asserted. The available information depicts Medusa as a financially driven ransomware operation that leverages remote access flaws, phishing, scripting and legitimate tools to infiltrate networks, steal data, and extort victims through ransom and leak threats across multiple industries and regions.

Incidents
Attributed incidents available to members
26 incidents
Sources
Sources available to members
10 sources