Users of popular email services such as Microsoft’s Outlook and Google’s Gmail could be subject to cyberattacks by Medusa, a ransomware cybercriminal business model that has affected more than 300 targets since February in a number of sectors, including technology, legal, medical, and manufacturing, the FBI said.
Medusa, which was first identified in June 2021, was spotted as recently as last month, according to an advisory released March 12 by the FBI, the Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center, The Hill reported Wednesday.
“Both Medusa developers and affiliates — referred to as ‘Medusa actors’ in this advisory — employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid,” the advisory stated.
Medusa developers typically recruit access brokers in marketplaces and cybercriminal forums, paying them between $100,000 and $1 million to solely work for a hacking organization, according to the advisory. Such brokers are known to use common techniques such as phishing campaigns or exploiting unpatched software vulnerabilities.
“The ransom note demands victims make contact within 48 hours via either a Tor browser-based live chat, or via Tox, an end-to-end encrypted instant-messaging platform,” the advisory stated. “If the victim does not respond to the ransom note, Medusa actors will reach out to them directly by phone or email.”
A victim was extorted three times in one case, The Hill reported, citing an FBI investigation. The victim was contacted by another Medusa actor who said that the main hacker stole the ransom amount and asked for another payment.
The advisory said users should protect all accounts with passwords, ideally having longer passcodes that are changed often. Multifactor authentication should also be in place. Copies of sensitive data, in the form of hard drives, the cloud and storage devices, should be developed for recovery. Users should also have offline data backups that ideally are encrypted. The operating systems of devices should be up to date.
If users open phishing links or attachments, they should not ignore the step, Ryan Kalember, chief strategy officer at the security firm Proofpoint, told The Washington Post on Monday.
“That is often the first reaction, and it is not ideal,” Kalember said. “When you fall for something, the attacker still has some window of time where they have to figure out what they’ve just got and whether it’s even worth taking advantage of.”
Michael Katz ✉
Michael Katz is a Newsmax reporter with more than 30 years of experience reporting and editing on news, culture, and politics.
© 2025 Newsmax. All rights reserved.