The FBI has issued an urgent warning about Medusa ransomware targeting Outlook and Gmail users, with ransom demands reaching as high as $15 million and hundreds of victims already affected.
Top Takeaways
- Medusa ransomware has victimized over 300 organizations across critical sectors including healthcare since its emergence in 2021
- Attackers demand ransoms between $100,000 and $15 million while threatening to publish stolen data if not paid
- The cybercriminal group Spearwing uses sophisticated phishing campaigns targeting Gmail and Outlook users
- Federal agencies recommend implementing multi-factor authentication, regular backups, and network segmentation to protect against attacks
- Companies should develop comprehensive recovery plans with multiple secure data copies to mitigate damage
Federal Agencies Sound the Alarm
The FBI and Cybersecurity and Infrastructure Security Agency (CISA) have jointly issued an urgent warning to American businesses and individuals about the growing threat of Medusa ransomware. First identified in June 2021, this sophisticated cyberattack specifically targets users of popular email platforms including Outlook and Gmail. The alert comes as part of the agencies’ #StopRansomware initiative designed to help organizations protect their digital assets from increasingly aggressive cybercriminal syndicates operating internationally. Federal investigators have documented over 300 victims impacted by Medusa ransomware attacks as of February 2025.
Inside the Medusa Operation
According to cybersecurity experts, a group called Spearwing is behind the Medusa ransomware campaign. This organization recruits “access brokers” who specialize in compromising networks, paying them between $100 and $1 million depending on the target’s value. Their primary attack vectors include sophisticated phishing emails designed to look like legitimate communications and exploitation of unpatched software vulnerabilities. Once inside a network, the attackers deploy ransomware that encrypts critical data while simultaneously exfiltrating sensitive information for leverage in their extortion demands.
“Like the majority of ransomware operators, Spearwing and its affiliates carry out double extortion attacks, stealing victims’ data before encrypting networks in order to increase the pressure on victims to pay a ransom. If victims refuse to pay, the group threatens to publish the stolen data on their data leaks site,” cybersecurity brand Symantec wrote in a recent blog.
Since early 2023, Spearwing has successfully compromised approximately 400 organizations, with their data leaks site showcasing stolen information from those who refused to pay ransoms. The group is particularly dangerous because they also hijack legitimate accounts, including those belonging to healthcare organizations, to further their attacks. Ransom demands have ranged dramatically from $100,000 for smaller targets to as much as $15 million for large enterprises with sensitive data.
Do you use Gmail or Outlook? FBI, CISA issue warning about Medusa ransomware https://t.co/QcX4ZkE7nz
— USA TODAY (@USATODAY) March 18, 2025
Protecting Your Digital Assets
The FBI and CISA have outlined several critical strategies to protect against Medusa and similar ransomware threats. Organizations should develop comprehensive recovery plans that include multiple copies of important data stored in physically separate, secure locations. Implementation of multi-factor authentication is essential, particularly using authenticator apps rather than text-based verification. Regular password changes using complex, unique credentials for each service provide an additional layer of security against credential-based attacks.
Other strategies include network segmentation, which prevents attackers from moving laterally through systems once they’ve gained access. Keeping all software and systems updated with the latest security patches closes vulnerabilities that ransomware operators exploit. Regular monitoring of network activity for unusual patterns can help identify breaches before they escalate to full-scale encryption events. Finally, maintaining offline, encrypted backups ensures that even if ransomware successfully compromises systems, critical data can be restored without paying criminals.
