Gmail and Outlook users targeted by Medusa Ransomware, FBI and CISA issue warning

The Federal Bureau of Investigation (FBI) and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued an urgent advisory warning users of email services such as Gmail and Outlook about a significant ransomware threat posed by the Medusa ransomware gang. This cybercriminal group has reportedly been active since 2021 and has increasingly adopted an affiliate model for its operations.

The Medusa Ransomware tactics

Medusa ransomware operators, referred to as "Medusa actors," employ a double extortion model where they encrypt a victim's data and then threaten to release the stolen information publicly if the ransom is not paid. The group primarily gains access through phishing emails and exploiting unpatched software vulnerabilities.

As of February 2025, Medusa has targeted more than 300 organisations across critical industries, including healthcare, education, legal, insurance, technology, and manufacturing. Victims often find their systems locked down and their sensitive information held hostage until a ransom is paid.

Recommended preventive measures

To mitigate the risks posed by Medusa ransomware, the FBI, CISA, and the Multi-State Information Sharing & Analysis Center (MS-ISAC) recommend the following cybersecurity measures:

Strengthen account security:

• Use long, unique passwords for all accounts.
• Enable multifactor authentication (MFA), especially for webmail, virtual private networks (VPNs), and systems with critical access.
• Implement a robust backup and recovery plan:
• Maintain multiple copies of critical data in secure, segmented locations such as external hard drives, cloud storage, or offline backups.
• Encrypt and regularly test backups to ensure data integrity.

Keep Systems updated:

• Ensure all operating systems, software, and firmware are regularly updated and patched.
• Prioritise patching vulnerabilities in internet-facing systems.

Enhance Network security:

• Segment networks to limit lateral movement of ransomware.
• Use network monitoring tools to detect abnormal activity and prevent unauthorized access.
• Require VPNs or jump hosts for remote access.
• Filter network traffic to prevent unknown or untrusted sources from accessing critical systems.

Restrict privileged access:

• Audit and limit administrative privileges based on the principle of least privilege.
• Disable command-line and scripting activities where possible to prevent privilege escalation.
• Monitor domain controllers, servers, and workstations for unauthorized accounts.

Implement security controls:

• Disable unused ports and restrict unauthorised scanning attempts.
• Use endpoint detection and response (EDR) tools to monitor and log network traffic for unusual activity.

Government advisory and further steps

The FBI and CISA have released a detailed cybersecurity advisory (AA25-071A) on March 12, 2025, outlining the technical aspects of Medusa’s operations and the necessary protective measures. Organisations are encouraged to consult CISA’s Cross-Sector Cybersecurity Performance Goals (CPGs) for a comprehensive framework to enhance their cybersecurity posture.