Feds Issue Medusa Warning to Gmail, Outlook Users

Ransomware attackers use 'double extortion' model
Posted Mar 17, 2025 6:35 PM CDT
Feds Issue Medusa Warning to Gmail, Outlook Users
Medusa attackers use a "double extortion" model, authorities say.   (Getty Images/InnaFelker)

The FBI and the US Cybersecurity and Infrastructure Security Agency are urging users of email services including Gmail and Outlook to protect themselves from Medusa. The agencies say attackers using the ransomware variant have hit hundreds of companies across multiple industries, including critical infrastructure, using phishing techniques and exploiting software vulnerabilities to steal data, USA Today reports. According to security software firm Symantec, attacks involving Medusa are rising sharply, with hackers demanding ransoms anywhere between $100,000 and $15 million. CISA says its cybersecurity advisory is part of its ongoing Stop Ransomware campaign.

  • Spearwing. In a blog post earlier this month, Symantec said a group called Spearwing is behind the attacks. "Like the majority of ransomware operators, Spearwing and its affiliates carry out double extortion attacks, stealing victims' data before encrypting networks in order to increase the pressure on victims to pay a ransom," Symantec said. "If victims refuse to pay, the group threatens to publish the stolen data on their data leaks site."

  • Ransom demands. The CISA advisory says Medusa attackers used a "double extortion model," in which they " encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid," the AP reports. "Ransom demands are posted on the site, with direct hyperlinks to Medusa affiliated cryptocurrency wallets," the advisory says. "At this stage, Medusa concurrently advertises sale of the data to interested parties before the countdown timer ends. Victims can additionally pay $10,000 USD in cryptocurrency to add a day to the countdown timer."
  • Protection. The FBI and the CISA say people should protect themselves—and their employers—by checking for software updates and turning on two-factor authentication. Downloading data so it is still accessible in the event of a hack is also a good idea.The Washington Post advises using authenticator apps for text messages and checking email addresses and URLs for slight differences in spelling from their legitimate counterparts. Attackers have also been known to pose as people's colleagues in phone calls seeking account information.
  • If you've already clicked a dodgy link. Cybersecurity experts say that when people click infected links, it's a common reaction to ignore it and hope nothing happens, but damage can be limited if company IT teams are informed immediately. "Phishing emails are common, and it's tough to expect employees to get it right 100 percent of the time," the Post notes.
(More ransomware stories.)

Get the news faster.
Tap to install our app.
X
Install the Newser News app
in two easy steps:
1. Tap in your navigation bar.
2. Tap to Add to Home Screen.

X