This ransomware operation surfaced four years ago, in January 2021, but the gang's activity only picked up two years later, in 2023, when it launched the Medusa Blog leak site to pressure victims into paying ransoms using stolen data as leverage.

Medusa was first introduced as a closed ransomware variant, where a single group of threat actors handled all development and operations. Although Medusa has since evolved into a Ransomware-as-a-service (RaaS) operation and adopted an affiliate model, its developers continue to oversee essential operations, including ransom negotiations.

Since it emerged, the gang has claimed over 400 victims worldwide and gained media attention in March 2023 after claiming responsibility for an attack on the Minneapolis Public Schools (MPS) district and sharing a video of the stolen data.

The cybercrime group also leaked files allegedly stolen from Toyota Financial Services, a subsidiary of Toyota Motor Corporation, on its dark extortion portal in November 2023 after the company refused to pay an $8 million ransom demand and notified customers of a data breach.

One month ago, CISA and the FBI issued another joint alert warning that victims from multiple industry sectors across over 70 countries, including critical infrastructure, have been breached in Ghost ransomware attacks.