Who are the hackers of Medusa, the ransomware group with dozens of attacks

After two years of relative silence the hacker group known as Medusa has returned to organizing ransomware attacks. Cybercriminals’ favorite victims appear to be mainly high-profile companies and institutions, with dozens of attacks carried out in recent months.

The first time we heard of Medusa was in 2021. After a series of threats, the group quickly disappeared from radar, but the cell was only dormant. According to BleepingComputer, Medusa is behind the recent attacks on Minneapolis Public Schools (MPS), a complex of public schools located in the Minneapolis School District.

According to various sources, cybercriminals decrypted the MPS archives demanding a $1 million ransom in exchange for the stolen database. Techradar reports that Medusa would have given March 17 as completed, a deadline beyond which, in the event of non-payment, the group threatens to disclose the stolen sensitive data.

Multiple hacking groups called Medusa

According to BleepingComputer around Medusa there would be some confusion. The portal reports that, thanks to some cases of homonymy, there are allegedly various groups of cybercriminals around who call themselves Medusa. Some examples are hackers MedusaLocker, a botnet called Medusa and malware of the same name for Android devices. These would have nothing to do with the aforementioned hacking group.

Medusa and MedusaLocker also differ in the ransom notes they leave. MedusaLocker usually releases its victims a .HTML file called How_to_back_fileswhile Medusa leaves a .TXT file called !!!READ_ME_MEDUSA!!!. Furthermore, Medusa encrypts files with the .MEDUSA extension, while MedusaLocker uses a wider variety of extensions.

The name of the criminal group is a clear reference to the mythological figure of Medusa, a woman capable of petrifying with a single glance.