Medusa ransomware attacks escalating in 2025

Medusa ransomware has posed a growing threat to companies worldwide since the beginning of 2025. Check Point warns of the increasing activity of this hacker group.

Over 300 companies from various industries, including technology, manufacturing, education and insurance, have already reported attacks. The US authorities are responding with recommendations to counter the threat.

Procedure of the Medusa hackers

The main route of infection for Medusa ransomware is targeted phishing campaigns. Cybercriminals use fake emails to steal access data and infiltrate their victims’ systems. Once access has been gained, they take control of the company’s IT infrastructure.

The strategy of double extortion is particularly perfidious. Here, the attackers rely on a specially set up website for data leaks. This platform lists affected companies together with countdown timers that indicate the time of the impending publication of the stolen data. The website also contains information on the ransom demands and direct links to crypto wallets for payment.

Medusa offers affected companies the opportunity to buy an extension of the deadline for 10,000 US dollars in cryptocurrency. At the same time, the perpetrators threaten to sell the sensitive data on to third parties if payment is not made on time.

Protective measures against Medusa ransomware

To protect themselves against Medusa and similar ransomware attacks, companies should take the following measures:

1. Improve phishing protection: Modern email security solutions help to identify and block suspicious messages at an early stage. This can prevent the main method of infection.
2. Implement zero-day protection: AI-supported security technologies detect previously unknown phishing attempts and malicious attachments before they can cause any damage.
3. Use email authentication: Verifying the identity of senders can reduce the risk of email spoofing, a common technique used to steal credentials.
4. Increase employee awareness: Automated phishing simulations and targeted training help to raise awareness of cyber threats and increase the resilience of the workforce.

The threat of Medusa ransomware is not limited to the USA. Experience has shown that cyberattacks of this kind also spread to European companies. It is therefore essential that companies share security-relevant information with the authorities.

Marco Eggerling, Global CISO at Check Point Software Technologies, emphasizes: “Experience shows that malware active in the USA will sooner or later also be found in the systems of European companies. It is therefore all the more important for companies to share information with the relevant authorities and these in turn with the public. For companies, it is once again true that the threat from ransomware is primarily a threat from phishing. Email security measures should therefore no longer be optional, as they have become essential.”