FBI and CISA issue urgent warning as Medusa ransomware targets Gmail and Outlook users, with hackers demanding up to $15 million from victims and threatening to publish stolen data if not paid.
Quick Takes
- Medusa ransomware has impacted over 300 victims as of February 2025, primarily spreading through phishing emails that mimic legitimate communications
- Ransom demands have ranged from $100,000 to $15 million, with hackers using “double extortion” tactics – encrypting data and threatening to leak sensitive information
- A group called Spearwing is behind the attacks, recruiting access brokers with payments between $100 and $1 million
- The FBI and CISA recommend implementing multi-factor authentication, regular data backups, and network segmentation to protect against these threats
Critical Threat to Email Users and Organizations
Federal authorities have issued a stark warning about a sophisticated ransomware variant called “Medusa” that’s actively targeting users of popular email services like Gmail and Outlook. First identified in June 2021, this malware has evolved into a significant threat, particularly for critical infrastructure sectors including healthcare. The ransomware is distributed primarily through carefully crafted phishing campaigns designed to trick recipients into clicking malicious links or downloading infected attachments. Once successful, the attackers gain access to systems, encrypt data, and demand substantial ransoms from victims.
According to the joint cybersecurity advisory, Medusa ransomware is linked to a group known as Spearwing, which has victimized hundreds of organizations since early 2023. The group employs what security experts call “double extortion” tactics – not only encrypting victims’ data but also stealing sensitive information before encryption and threatening to publish it on their data leaks site if ransom demands aren’t met. This approach significantly increases pressure on victims to pay, as they face both operational disruption and potential exposure of confidential information.
Do you use Gmail or Outlook? FBI, CISA issue warning about Medusa ransomware https://t.co/QcX4ZkE7nz
— USA TODAY (@USATODAY) March 18, 2025
Financial Impact and Recruitment Tactics
The financial stakes in these attacks are extraordinarily high. Ransom demands have ranged from $100,000 to as much as $15 million, depending on the size and nature of the targeted organization. To expand their operations, Spearwing actively recruits “access brokers” – individuals who can provide initial entry points into victim networks. These brokers are reportedly paid between $100 and $1 million based on the value of the target and level of access provided. The group’s business model demonstrates the highly organized and financially motivated nature of modern ransomware operations.
“Like the majority of ransomware operators, Spearwing and its affiliates carry out double extortion attacks, stealing victims’ data before encrypting networks in order to increase the pressure on victims to pay a ransom. If victims refuse to pay, the group threatens to publish the stolen data on their data leaks site,” cybersecurity brand Symantec wrote in a recent blog.
As of February 2025, authorities report that over 300 victims have been impacted by Medusa ransomware. Security researchers have documented approximately 400 victims listed on Spearwing’s data leaks site, indicating the extensive reach of these attacks. The group has demonstrated particular interest in critical infrastructure, with healthcare organizations among their primary targets. In many cases, the attackers hijack legitimate accounts to move laterally through networks, making detection more difficult and increasing their chances of successful encryption.
Protecting Your Systems and Data
The FBI and CISA have outlined several critical steps organizations should take to protect themselves from Medusa and similar ransomware threats. Implementing multifactor authentication (preferably using authenticator apps rather than text-based codes) provides a significant barrier against unauthorized access. Regular system updates and patching of known vulnerabilities are essential, as the attackers frequently exploit unpatched software. Network segmentation can limit lateral movement, preventing attackers from accessing critical systems even if they breach initial defenses.
Perhaps most important is maintaining secure, offline backups of critical data. These backups should be regularly tested to ensure they can be successfully restored in case of an attack. Individual users should be vigilant about suspicious emails, independently verifying the legitimacy of unexpected communications—especially those containing attachments or requests to click links. When in doubt, contact the purported sender through separate means, such as a phone call to a known number. Suspicious activity should be reported immediately to IT security teams to minimize potential damage.
