Pourquoi le rançongiciel Medusa constitue une menace croissante pour les infrastructures critiques

Senior Content Marketing Manager

April 4, 2025

23 min. de lecture

Medusa has always been something more than a monster.

In ancient myth, her gaze turned men to stone. During the Renaissance, she was a symbol of beauty turned deadly. Today, she’s been reclaimed as a figure of transformation — showing up in fashion, pop culture, and symbols of empowerment.

Today, she’s back — not in marble or myth, but in malware. Medusa's ransomware-as-a-service (RaaS) operation, active since June 2021, is now ramping up attacks against critical infrastructure around the world. Targeted sectors include the medical, education, legal, insurance, technology, and manufacturing industries.

In the first two months of 2025, the number of Medusa ransomware attacks doubled compared to the same period last year — a sharp rise that signals Medusa is accelerating, not fading.

Different portrayals of Medusa throughout the years

In myth, looking at Medusa meant death. In cybersecurity, failing to see her can threaten power, water, transport, financial systems, and public trust — the infrastructure that keeps the world running. ‍

A joint warning from CISA and the FBI

In February 2024, CISA and the FBI issued a joint advisory: #StopRansomware: Medusa Ransomware.

More than 300 organizations have already fallen victim, including hospitals, financial institutions, schools, and government services.

The agencies have advised these urgent steps:

Ensure operating systems, software, and firmware are patched and up to date.
Segment networks to restrict lateral movement.
Filter network traffic by preventing unknown or untrusted origins from accessing remote services.

Ransomware is now a national risk

‍Ransomware wasn’t always this dangerous. In 1989, the first known ransomware attack — known as the AIDS Trojan — was delivered by floppy disk and demanded $189 by mail.

Today, according to Illumio's Global Cost of Ransomware Study:

25% of critical systems go down during an attack, for an average of 12 hours.
Average ransom demands exceed $1.2 million.
Even after payment, only 13% of victims recover all their data.
Containment takes over 130 hours (about 11 days) and nearly 18 people.

Ransomware isn’t just a cyber threat. It’s a drain on time, money, and resilience. And when it hits critical infrastructure, the stakes can cause financial ruin, endanger the public, and even destabilize governments.

Why critical infrastructure is so exposed

‍Critical infrastructure is a magnet for ransomware for an important reason: it matters.

“Critical infrastructure is essential by nature — if you knock it out, the ripple effect is enormous,” says Trevor Dearing, Illumio’s critical infrastructure solutions director. “The real threat to critical services is when operations stop — when electricity, water, or transport systems are knocked offline. That’s when things get truly dangerous.”

From power grids to pipelines, society’s backbone often runs on outdated, unpatchable technology — especially legacy ICS and SCADA systems.

Michael Adjei, Illumio’s director of systems engineering for EMEA, agrees.

“These systems are hard to update and easy for attackers to exploit,” he says. “That makes them ideal targets for ransomware like Medusa.”

Even as modernization picks up pace, security is often left behind in the world of critical infrastructure.

“Hardwired control systems are being replaced by Ethernet and Wi-Fi without fully considering the security implications,” Dearing says. “And many manufacturers ship equipment with weak default security — then limit what organizations can do to harden it.”

Many critical infrastructure organizations are publicly owned or depend on national funding. This means slow procurement, complex oversight, and limited budgets. In other words, it's a massive, under-defended target.

How serious could an attack on critical infrastructure get?

In 2023, 11 of the 15 most common vulnerabilities were exploited as zero-day flaws, according to a joint report from CISA and the NSA. The speed and scale of exploitation show just how quickly attackers are moving to weaponize flaws before defenders can patch them — especially in critical systems. As ransomware tactics evolve, attackers can turn minor vulnerabilities into major threats — with the potential to destabilize critical infrastructure and disrupt essential services.

Ransomware built for the hybrid age

Medusa doesn’t need zero-day vulnerabilities or loud exploits. It moves quietly, and it’s built for hybrid environments — where cloud apps can connect to on-premises data centers. ‍

Medusa avoids detection by using tools already inside your network — known as living off the land (LotL). Instead of dropping new malware, it exploits built-in programs and vulnerabilities to blend in with normal operations.

These could include:

PowerShell
Windows Management Instrumentation (WMI)
Remote Desktop Protocol (RDP)
ConnectWise ScreenConnect
SSH (on Linux and Unix systems)

“These tools are allowed, trusted, and already have the access attackers want,” Adjei says. “It’s less about the tool and more about its privilege and reach.”

Remote management software like ScreenConnect or SolarWinds is especially attractive because it comes pre-approved. Designed to connect, monitor, and control at scale, it becomes a force multiplier in the wrong hands, giving attackers immediate reach across systems.

And when ransomware behaves like IT, it may not raise alarms.

As Adjei puts it: “Modern ransomware doesn’t come crashing through the front door — it blends in like a spy."‍

Lateral movement: how Medusa spreads

Attackers land where it’s easy — not where they want to be. Then they move silently across the network, system by system, until they reach the crown jewels.

There are two types of lateral movement:

‍Host-intrinsic: privilege escalation within the system (e.g., svc-ndscans)‍
Host-extrinsic: moving between machines via RDP or WinRM

In a typical Medusa attack, both types work together. First, they gain control inside a device. Then, they use that access to quietly fan out across the network. ‍

Data exfiltration and double extortion

Medusa also uses double extortion: encrypting data and exfiltrating it — demanding ransom for recovery and for a promise that stolen data won’t be published, sold, or leaked online or on the dark web.

In the final stage, attackers locate and steal sensitive data, sending it back to their command-and-control servers. This callback traffic can be tunneled through common communication ports, using techniques like DNS text records or ICMP packets — methods designed to slip past traditional defenses unnoticed.