Who Is Medusa? The Ransomware Gang Targeting Gmail, Outlook, and VPN Users

Key Takeaways

• Medusa, a ransomware-as-a-service group, has begun targeting users of Gmail, Outlook, and VPNs.
• The ransomware group has carried out numerous high-profile attacks since its inception in late 2022.
• The Medusa gang focuses on extortion through its dark web forum.

The FBI has issued a warning that Medusa, the ransomware extortion group, is now targeting Gmail, Outlook, and virtual private network (VPN) users.

The ransomware group carried out tens of attacks in 2025, targeting a British health and social services provider, HCRG.

Medusa’s aggressive extortion strategies and subsequent spreading of sensitive data have made the group’s actions increasingly concerning for large organizations.

FBI Issues Warning for Gmail, Outlook and VPN Users

On March 12, the Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency warned users to initiate two-factor authentication for all devices, particularly for accounts on Outlook, Gmail, and virtual private networks (VPNs).

According to a blog post from cybersecurity firm Symantec, the Medusa ransomware is reportedly operated as a ransomware-as-a-service by a group named Spearwing.

“Like the majority of ransomware operators, Spearwing and its affiliates carry out double extortion attacks, stealing victims’ data before encrypting networks in order to increase the pressure on victims to pay a ransom,” Symantec said.

“If victims refuse to pay, the group threatens to publish the stolen data on their data leaks site.”

The FBI previously urged ransomware victims not to pay any ransom demanded from hackers.

“Paying a ransom doesn’t guarantee you or your organization will get any data back,” the agency wrote in a blog post . “It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.”

According to the agencies, as of February 2025, Medusa developers had impacted over 300 victims from various critical infrastructure sectors, including medical, education, and technology.

Who Is Medusa?

Medusa is a ransomware-as-a-service (RaaS) group that emerged in late 2022 and began gaining notoriety in early 2023.

The hacking group primarily infiltrates Windows-based systems, often through unpatched vulnerabilities or compromised accounts obtained by initial access brokers.

Once inside a network, the group employs Living Off The Land (LOTL) techniques, which utilize legitimate tools within the victim’s environment for malicious purposes, according to cybersecurity firm Darktrace.

For example, some Windows applications can steal data but will blend in with usual network administrative tasks.

Since the activities involve trusted system tools, they often evade traditional security solutions that focus on identifying known malware signatures.

“As part of their multi-extortion strategy, this group will provide victims with multiple options when their data is posted on their leak site, such as time extension, data deletion or download of all the data,” Palo Alto Networks Unit 42 researchers Anthony Galiette and Doel Santos said in a 2024 report .

“All of these options have a price tag depending on the organization impacted by this group,” they added.

Medusa Targets U.K. Health Provider

In February, the Medusa group claimed to have acquired 2.275 TB of stolen sensitive data from HCRG.

Medusa said it would delete the information for $2 million, sell it to a buyer, or leak it online if it did not receive its money.

The ransomware group said it would extend the deadline for an additional $10,000 per day.

In a statement to CCN at the time, an HCRG spokesperson said: “We can confirm that we are currently investigating an IT security incident and have recently identified a post on the dark web by a group claiming responsibility.

“Our services are continuing to operate and safely see patients, and those with appointments or who need to access our services should continue to do so.” the spokesperson added.

HCRG has not publicly disclosed the breach on its website.

Medusa Extortion Blog

In early 2023, the Medusa gang began focusing on extortion by deploying its dark web forum, The Medusa Blog.

This platform serves as a public forum where the group exposes sensitive data exfiltrated from victims who refuse to comply with their ransom demands.

The blog is a central component of Medusa’s multi-extortion strategy, providing victims with a countdown and their choices.

Unit 42 analysts also reported finding a Telegram group being used to publicize and release data stolen by Medusa.

The cybersecurity firm said Medusa primarily targets five sectors: technology, retail, manufacturing, education, and healthcare.

High-Profile Attacks

Since its inception in late 2022, Medusa has led numerous high-profile attacks on large organizations.

In March 2023, Medusa published 100GB of sensitive information from the Minneapolis Public School District.

The school district, which enrolls over 30,000 pupils, refused to pay the $1 million ransom to the group after being victim to a massive ransomware attack in February 2023.

According to NBC , many of the files appeared to include sensitive documents, allegations of teacher abuse, and students’ psychological reports.

In January 2025, Medusa published stolen data from Gateshead Council in the U.K. after asking for a $600,000 ransom.

The council refused to pay the fee, and HCRG will likely do the same.

According to Cybereason’s Ransomware: The Cost to Business Study 2024, around four in five organizations that paid a ransom demand were attacked again, often by the same bad actor.

“This is problematic on several levels,” said Greg Day, Global Field CISO of Cybereason. “It’s no guarantee that attackers won’t sell your data on the black market, that you’ll even get your full files and systems back, or that you won’t be attacked again.”