Medusa ransomware affiliate tried triple extortion scam – up from the usual double demand
A crook who distributes the Medusa ransomware tried to make a victim cough up three payments instead of the usual two, according to a government advisory on how to defend against the malware and the gangs who wield it.
The joint report issued on Wednesday by the FBI, CISA, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) reminds us that Medusa is a globe-spanning ransomware-as-a-service (RaaS) operation that recruits third-party affiliates to plant ransomware and negotiate with victims once it’s encrypted data.
Uncle Sam’s infosec agencies prefer to call those affiliates “Medusa actors.” They’re also sometimes labeled “initial access brokers” (IABs) because part of their job is to crack victims’ IT defenses so that systems can be infected.
Whatever you call these third-party entities, they often attack with credential-stealing phishing campaigns or by exploiting unpatched software bugs. Among their favorite flaws to target are CVE-2024-1709, a critical ConnectWise ScreenConnect authentication bypass bug, and the Fortinet EMS SQL injection vulnerability CVE-2023-48788.
Once Medusa miscreants get their ransomware running, they use a double extortion strategy that sees them demand payments to decrypt the scrambled data and to prevent its release. Even orgs that have good ransomware recovery regimes, meaning they don’t need to unscramble encrypted data as they have good backups and fall-back plans, may consider paying to prevent the release of their stolen data, given the unpleasant consequences that follow information leaks.
Medusa actors also set a deadline for victims to pay ransoms and provide a countdown timer that makes it plain when stolen info will be sprayed across the internet. If victims cough up $10,000 in cryptocurrency, the crims push the deadline forward by 24 hours.
The advisory reveals one Medusa actor has taken things a step further.
“FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid,” the advisory states.
That separate actor then “requested half of the payment be made again to provide the ‘true decryptor’,” the advisory states, describing this incident as “potentially indicating a triple extortion scheme.”
This is not good news because it suggests victims’ details are being shared among multiple Medusa scumbags.
But it does not necessarily indicate a lack of honor among thieves, because Medusa’s operators pay the actors it recruits between $100 and $1 million to work exclusively with their RaaS crew. That investment pays off because affiliate actors share ransom payments with Medusa’s developers.
Demanding more ransoms therefore pays off for everyone in the Medusa ecosystem.
Infections rising fast
Another item of unwelcome news in the Wednesday advisory is that as of February 2025 Medusa has claimed at least 300 victims “from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing.”
Just last month Medusa affiliates infected HCRG Care Group, a UK-based private health and social services provider, and demanded $2 million (£1.5 million) to keep the stolen information under wraps. It’s believed the pilfered records included people’s names, dates of birth, passports, IDs, and birth certificates, home and email addresses, phone numbers, medical histories, and more.
When DataBreaches.net reported those details, it said it was hit with a London High Court injunction brought by HCRG, which the website ultimately ignored because the dot-net’s US-based operators are outside the jurisdiction of the High Court of England and Wales. The lawyers said the injunction compels publishers to not assist in the dissemination, direct or otherwise, of “some or all of the confidential information stolen during the cyber-attack,” and demanded two articles about the Medusa infection be taken down. DataBreaches.net had in those two stories linked to a separate blog that had obtained and published redacted samples of the stolen healthcare data.
The Register, which broke the news of HCRG’s ransomware infection, has not had similar contact with the provider’s law firm. DataBreaches.net said its domain registrar was made aware of the court order and also chose not to take action.
Also in February, the malware crew attacked Gateshead Council in north east England, dumped the stolen files on its leak site and posted a $778,000 (£600,000) ransom demand.
The group claimed more than 40 victims in the first two months of 2025 alone, according to Symantec researchers, who noted the true number of infections is probably higher.
Cyberattacks involving this type of ransomware jumped 42 percent between 2023 and 2024, Symantec said, adding that affiliates’ ransom demands range from $100,000 (£80,000) to $15 million (£12 million).
Once they’ve gained access to a victim’s systems, Medusa actors use “living off the land” techniques to move laterally across compromised networks. The ransomware scum also use remote-access programs and other software already present in the victim environment such as AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop.
“Medusa uses these tools — in combination with Remote Desktop Protocol (RDP) and PsExec — to move laterally through the network and identify files for exfiltration and encryption,” according to the Feds’ advisory.
The criminals have also been spotted using Mimikatz for credential dumping and Rclone for data exfiltration.
To avoid falling victim to Medusa, the Feds recommend storing multiple copies of sensitive and/or proprietary data in an air-gapped location, and use of network segmentation to make it harder for attackers to move laterally.
The advisory also reminds readers that infosec staples such as multi-factor authentication, prompt patching, plus using long, strong passwords, can all help to make life harder for Medusa’s developers and lackeys. ®
READ MORE HERE