The FBI has issued an urgent warning about Medusa ransomware targeting Gmail and Outlook users, with victims facing ransom demands up to $15 million and threats to leak sensitive data if payment isn’t made.
Quick Takes
- Medusa ransomware has impacted over 300 victims since first appearing in June 2021, with hackers demanding between $100,000 and $15 million in ransom
- The criminal group Spearwing conducts “double extortion” attacks, stealing data before encrypting networks then threatening to publish stolen information if victims don’t pay
- Common attack methods include phishing emails designed to look like legitimate communications and exploiting unpatched software vulnerabilities
- The FBI and CISA recommend implementing multi-factor authentication, maintaining offline backups, and developing comprehensive recovery plans to protect against ransomware
Widespread Ransomware Threat Targeting Critical Industries
Federal authorities have sounded the alarm about a sophisticated ransomware variant called “Medusa” that’s specifically targeting users of popular email platforms like Gmail and Outlook. First identified in June 2021, this malicious software has already compromised more than 300 entities across various sectors, with a particular focus on critical infrastructure and healthcare organizations. The Medusa operation has grown significantly in scale and sophistication, with a group called Spearwing identified as the primary operator according to cybersecurity firm Symantec.
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) issued a joint advisory as part of their #StopRansomware initiative to help organizations understand and protect against this growing threat. According to federal authorities, Medusa’s developers recruit access brokers who are paid between $100 and $1 million to provide initial entry into victim networks. These criminals then deploy advanced tactics to move through systems, stealing and encrypting sensitive data before demanding substantial ransoms.
Do you use Gmail or Outlook? FBI, CISA issue warning about Medusa ransomware https://t.co/QcX4ZkE7nz
— USA TODAY (@USATODAY) March 18, 2025
How Medusa Ransomware Operates
The primary infection method used by Medusa operators involves phishing emails that appear to come from legitimate sources. These deceptive messages often contain malicious attachments or links that, when clicked, provide attackers with a foothold in the victim’s system. Once inside, the malware spreads throughout the network, identifying and encrypting valuable data. Attackers also siphon off sensitive information before encryption, setting up the “double extortion” scenario that has become their calling card.
“Like the majority of ransomware operators, Spearwing and its affiliates carry out double extortion attacks, stealing victims’ data before encrypting networks in order to increase the pressure on victims to pay a ransom. If victims refuse to pay, the group threatens to publish the stolen data on their data leaks site,” cybersecurity brand Symantec wrote in a recent blog.
Ransom demands have ranged from $100,000 to as high as $15 million, with payments typically demanded in cryptocurrency to complicate tracking efforts. Spearwing has established a dedicated data leaks site where they threaten to publish stolen information from victims who refuse to pay. According to reports, this site already contains data from approximately 400 victims attacked since early 2023, demonstrating the group’s extensive reach and operational capacity.
Protecting Your Systems and Data
The FBI and CISA have outlined several critical protective measures that individuals and organizations should implement immediately. First and foremost is the implementation of multi-factor authentication (MFA) for all accounts, with preference given to authenticator apps rather than text-based verification. Regular system updates are essential, as Medusa operators frequently exploit known vulnerabilities in unpatched software to gain initial access to systems.
Developing a comprehensive data backup strategy is critical. The agencies recommend maintaining multiple offline, encrypted backups stored in physically secure locations. Network segmentation can limit an attacker’s ability to move laterally through systems, while regular monitoring of network activity helps identify suspicious behavior before encryption begins. Users should also be vigilant about verifying the authenticity of unexpected emails, especially those containing links or attachments, and should independently confirm unusual requests through separate communication channels.
