Ransomware-As-A-Service Variants on the Rise With Critical Infrastructure Providers at the Greatest Risk

By AJ Thompson, CCO at IT Consultancy Northdoor plc

Public sector organisations need to look to third-party IT consultants who can help them to protect sensitive data

The FBI has issued an urgent warning to Microsoft Outlook and Gmail users to beware of a new ransomware-as-a-service (RaaS) programme that has been extorting sensitive data. The Medusa variant has been around since 2021 and uses extremely aggressive double extorsion tactics. More recently the Medusa ransomware gang has targeted more than 300 critical infrastructure organisations, including: hospitals, schools and influential firms using phishing scams that target vulnerable software.

In January 2025, Gateshead Council suffered an attack by Medusa and in February, attackers claimed to have stolen 2.275 terabytes of data from HCRG Care Group, formerly Virgin Care. Medusa threatened to sell the stolen information for £1.54m or delete the data for the same fee.

Medusa is now the third-largest ransomware variant and it is still growing. Medusa uses imitation emails and websites to infiltrate systems, locking crucial files and making duplicates. Medusa’s ransoms are tailored to a victims’ profile and the ransomware gang uses its blog on the dark web to auction the stolen data, putting pressure on its victims to pay up.

Stolen data is often leaked to multiple locations so cybersecurity professionals cannot simply monitor Medusa’s data-leak website on the dark web. This coupled with Medusa’s ability to cripple infrastructure means it is a particularly dangerous threat to the public sector, with ransom demands being anything in between £77,000 to £1.5m.

Another issue facing the public sector is Bring Your Own Device (BYOD) policies. More people than ever are using their personal phones and tablets for work and this means that they will potentially encounter phishing attacks. IT and security teams have significantly less visibility into these devices than they do into corporate-owned devices, meaning it is harder to manage these increased risks. 

It is with these factors in mind that cybercriminals target users’ personal devices in order to infiltrate organisations, with employees potentially falling victim to phishing attacks from personal channels and social media.

To protect against the Medusa variant, security experts and government officials have recommended implementing a two-step authentication process that sends a text code which must be entered ahead of accessing emails. It has also been suggested that users should remove sensitive data from Gmail accounts, print hard copies of important documents and maintain spam filters to prevent harmful phishing emails from reaching your inbox.

AJ Thompson, CCO at Northdoor plc, explains: “Vigilance around critical infrastructure in the public sector in 2025 and beyond will be crucial. The nature of RaaS, where ransomware tools can be outsourced to other cybercriminals, means that it is difficult for cybersecurity experts to pinpoint where cybercriminals are operating in order to mitigate attacks.

Cybercriminals can also adapt and overcome most security measures if these measures are not continuously updated. Unpatched systems, poor web-coding, configuration mistakes, shadow IT and BYOD policies are all high-impact issues which are currently affecting the public sector.

“Public sector organisations need to look to third-party IT consultants who can help them to protect sensitive data and critical infrastructure. Third-party IT consultants can isolate critical systems with network segmentation, to prevent cyber criminals moving across networks. Third-party IT consultants can also back-up data and critical information with fixed storage that can’t be edited or altered and can prevent malicious attempts at encryption.

“Public sector organisations should look to deploy endpoint and network monitoring that provides visibility for IT security teams and tracks the health a status of devices, this is especially important for remote desktop access tools. Third-party IT consultants can also mitigate risks by ensuring that networks are patched and up-to-date within a risk-based timeframe,” concluded Thompson.