Since January 2026, over 500 organizations have fallen victim to the Medusa ransomware group. Healthcare is its hunting ground of choice. With triple-extortion tactics, million-dollar ransom demands, and a complete indifference to patient safety, Medusa has become one of the most dangerous ransomware-as-a-service operations on the planet. Here's how they operate, who they've hit, and why your hospital might be next.
Ransomware gangs have never had a moral compass, but Medusa seems to enjoy proving that point. While other groups at least pay lip service to avoiding hospitals — LockBit famously claimed it wouldn't target healthcare (it did anyway) — Medusa has made critical infrastructure a core part of its business model from day one. The joint advisory from CISA, the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) published in March 2025 confirmed what the security community already knew: Medusa is prolific, sophisticated, and relentless.
What Is Medusa and Where Did It Come From?
Medusa first appeared in June 2021 as a closed ransomware operation — meaning the developers handled everything from initial access to ransom negotiation. By 2023, the group had transitioned to a full ransomware-as-a-service (RaaS) model, recruiting affiliates to broaden its reach while keeping ransom negotiations centralized under the core team. This hybrid approach is unusual. Most RaaS operations hand the entire workflow off to affiliates, but Medusa's developers maintain control of the money conversation. That tells you something about how tightly they run their operation.
The group is tracked by Symantec's Threat Hunter Team under the name "Spearwing." According to their analysis published in early 2025, Medusa attacks jumped 42% between 2023 and 2024, and the first two months of 2025 saw almost double the attack volume compared to the same period in 2024. By January 2026, Darktrace confirmed that more than 500 organizations had fallen victim to Medusa across EMEA, the Americas, and Asia-Pacific.
Medusa ransomware is not MedusaLocker (a separate, older ransomware variant), the Medusa Android banking trojan, or the Medusa botnet/stealer. The groups are unrelated. Medusa ransomware appends the .MEDUSA extension to encrypted files and drops a ransom note named !!!READ_ME_MEDUSA!!!.txt.
Evidence strongly suggests Medusa operates out of Russia or an allied CIS state. The group avoids targeting organizations within Russia and the Commonwealth of Independent States, and its operators are active on Russian-language dark web forums like RAMP. None of this is surprising, but it functionally puts the group's leadership beyond the reach of Western law enforcement.
Why Healthcare Is Medusa's Favorite Target
Healthcare organizations are ideal ransomware targets for a simple, brutal reason: they cannot afford downtime. When a hospital's systems go dark, surgeries get delayed, ambulances get diverted, and patient records become inaccessible. The pressure to pay is immense and immediate. Medusa knows this.
"This well-known foreign ransomware group has conducted high impact ransomware attacks against hospitals, resulting in disruption and delay to health care delivery and posing a risk to patient and community safety." — John Riggi, National Advisor for Cybersecurity and Risk, American Hospital Association (AHA), March 2025
The numbers paint a grim picture. According to Comparitech's year-end healthcare ransomware roundup for 2025, a total of 293 ransomware attacks hit hospitals, clinics, and direct care providers in the first nine months of the year alone. An additional 130 attacks targeted healthcare businesses like pharmaceutical manufacturers and medical billing companies — a 30% increase over the same period in 2024. Medusa was consistently among the top five most active strains, with Comparitech confirming 18 claims and 12 confirmed attacks against healthcare providers across the full year.
The average ransom demand across healthcare attacks in 2025 was $660,000, but Medusa routinely pushes higher. The group's demands have ranged from $100,000 to a staggering $15 million, depending on the perceived ability of the victim to pay.
The Attack Chain: How Medusa Gets In and Locks You Out
Medusa's initial access strategy is pragmatic and well-resourced. According to both the CISA advisory and Darktrace's January 2026 analysis, the group primarily gains access by purchasing credentials and compromised devices from Initial Access Brokers (IABs). These brokers do the grunt work — phishing campaigns, credential stuffing, brute-force attacks — and then sell the resulting access on dark web marketplaces. Medusa also directly exploits unpatched vulnerabilities in public-facing applications, with Microsoft Exchange Servers being a primary target.
Once inside, the attack chain follows a consistent playbook that Symantec notes has remained largely stable since early 2023, suggesting a small, disciplined affiliate pool operating from a shared tactical manual:
- Persistence via RMM tools: Medusa deploys legitimate remote monitoring and management software — SimpleHelp, AnyDesk, and MeshAgent are favorites — to maintain access and blend in with normal IT operations.
- Defense evasion with BYOVD: The group uses Bring Your Own Vulnerable Driver (BYOVD) attacks, deploying signed but vulnerable drivers to the target network and exploiting them to disable endpoint security software. This technique has become increasingly common across ransomware operations over the past two years.
- Lateral movement: Using RDP, SMB, and the RMM tools already deployed, Medusa operators traverse the network, escalating privileges and identifying high-value targets for data theft.
- Data exfiltration: Before encryption, Medusa systematically steals sensitive data. In healthcare environments, this means patient records, insurance details, financial information, and employee credentials.
- Encryption: The Medusa payload encrypts files with the
.MEDUSAextension and drops its ransom note. Victims get 10 days to pay, with an option to extend the deadline for an additional $10,000 per day.
Medusa can delete itself from victim machines after the ransomware payload executes, destroying forensic evidence and making it significantly harder for incident responders to determine the attack's origin and full scope.
The Body Count: Major Healthcare Breaches
Medusa's healthcare victim list reads like a horror novel. Here are the most significant confirmed incidents:
SimonMed Imaging — 1.27 Million Records Breached
In January 2025, Medusa hit SimonMed Imaging, a major Arizona-based medical imaging provider, with a $1 million ransom demand after allegedly stealing over 212 GB of data. The breach originated through a third-party vendor, and SimonMed eventually confirmed that 1,275,669 individuals had their data compromised, including medical record numbers, diagnoses, treatment information, insurance details, and driver's license numbers.
"The SimonMed breach illustrates the perfect storm we often fear in healthcare cybersecurity: a long dwell time, a wide scope of compromised data, and a ransomware group bold enough to publicize both the theft and ransom demand." — Ensar Seker, CISO, SOCRadar, October 2025
HCRG Care Group — $2 Million Demand
In February 2025, Medusa targeted HCRG Care Group, one of the UK's largest independent healthcare providers, demanding $2 million and claiming to have stolen nearly 2.3 TB of data. HCRG took the unusual step of seeking a legal injunction against Medusa to prevent the data from being published — an innovative legal tactic, though its practical effectiveness against a criminal gang operating from a hostile nation-state is debatable.
Bell Ambulance — $400,000 Demand
Medusa went after Bell Ambulance, a Wisconsin-based ambulance provider, in mid-February 2025. The group claimed to have stolen 212 GB of data and demanded $400,000 for its return. When your target is a company that transports critically ill patients, you're telling the world exactly how much human life factors into your business calculus: zero.
U.S. Healthcare Organization — Hundreds of Machines Encrypted
Symantec's Threat Hunter Team investigated a Medusa attack on an unnamed U.S. healthcare organization in January 2025 where the group infected several hundred machines. The attackers had been on the network for four days before deploying the ransomware payload, staging tools for persistence, lateral movement, and defense impairment under the documents folder of compromised systems.
Triple Extortion: Encrypt, Leak, Harass
Most modern ransomware groups use double extortion: encrypt the data and threaten to leak it. Medusa goes further. Darktrace's January 2026 analysis confirmed that the group employs triple extortion tactics, adding a third pressure lever: directly contacting the victim's customers, patients, or partners, and in some cases launching DDoS attacks against organizations that refuse to pay.
In healthcare, this is particularly devastating. Imagine not only having your hospital's systems encrypted and patient data stolen, but having Medusa contact your patients directly to inform them their medical records are about to be published. The reputational damage alone can be catastrophic, and the legal exposure under HIPAA and state data breach notification laws creates enormous financial liability.
"Ransomware gangs like Medusa don't just encrypt — they extract leverage. The exfiltration and exposure of patient data amplifies the damage and urgency." — Ensar Seker, CISO, SOCRadar, October 2025
Medusa's leak site operates on the Tor network, where victims are publicly listed with countdown timers showing when their data will be published. The group also offers a secondary "service" to victims: for $10,000 per day, the countdown timer can be extended. It's extortion layered on top of extortion, and it's working.
Defense: What Healthcare Organizations Must Do Now
The CISA/FBI/MS-ISAC joint advisory from March 2025 provided specific mitigations, and every one of them is relevant today. But let's be blunt: if your healthcare organization hasn't already implemented these, you're overdue.
- Patch public-facing applications immediately. Medusa's operators exploit known vulnerabilities in Exchange, VPNs, and web-facing portals. If your organization runs unpatched Exchange Servers, you're essentially advertising a vacancy on a dark web IAB marketplace.
- Disable unnecessary command-line and scripting tools. The CISA advisory specifically recommended disabling command-line and scripting activities to limit living-off-the-land (LotL) techniques. As the advisory states: "Privilege escalation and lateral movement often depend on software utilities running from the command line. If threat actors are not able to run these tools, they will have difficulty escalating privileges and/or moving laterally."
- Audit and restrict RMM tool usage. If your organization uses SimpleHelp, AnyDesk, or MeshAgent legitimately, ensure they're properly inventoried and monitored. If you don't use them, their presence on your network is a red flag.
- Implement network segmentation. Medusa's operators traverse networks laterally using RDP and SMB. Proper segmentation limits their blast radius even after initial compromise.
- Require phishing-resistant MFA everywhere. IABs feeding Medusa rely heavily on stolen credentials. Hardware security keys or FIDO2-based authentication dramatically reduce the value of compromised passwords.
- Monitor for BYOVD activity. Watch for the loading of known-vulnerable signed drivers. Maintain a blocklist and use driver block rules where possible.
- Maintain offline, tested backups. Medusa specifically targets backup infrastructure. If your backups aren't air-gapped and regularly tested for restoration, they're not backups — they're a false sense of security.
- Vet your third-party vendors. The SimonMed breach originated through a vendor. Your security is only as strong as the weakest link in your supply chain.
Key Takeaways
- Medusa is not slowing down: With over 500 confirmed victims as of January 2026 and a 42% year-over-year increase in activity, this group is accelerating, not retreating. The transition to a RaaS model has supercharged its reach.
- Healthcare is the primary target: Medusa deliberately targets organizations that cannot afford downtime, and healthcare sits at the top of that list. Patient safety is not a consideration for this group — it's leverage.
- Triple extortion changes the calculus: Encrypting data, threatening to leak it, and then directly harassing victims' patients and partners creates pressure from three directions simultaneously. Organizations need crisis communication plans, not just incident response playbooks.
- The supply chain is the attack surface: Multiple Medusa breaches originated through third-party vendors. Healthcare organizations must treat vendor security assessments as critical, ongoing requirements — not annual checkbox exercises.
- Basic hygiene still matters most: Patching, MFA, network segmentation, offline backups. None of this is new. But the organizations getting hit by Medusa are the ones that haven't done it. Every single mitigation in the CISA advisory exists because organizations keep failing at fundamentals.
Medusa ransomware is a case study in what happens when a sophisticated criminal enterprise targets an industry structurally incapable of tolerating disruption. Healthcare's combination of critical patient dependencies, sprawling vendor ecosystems, legacy technology, and regulatory pressure makes it the perfect victim. The group knows this, and they're building their entire operation around exploiting it. If your organization touches healthcare data in any capacity, treat Medusa as an active, ongoing threat — because it is.