Ransomware victims are being offered payment extension plans as groups ratchet up pressure

Ransomware mockup of a red neon motherboard with a floating triangular warning sign denoting danger
(Image credit: Getty Images)

Ransomware groups are pursuing a variety of different options to maximize the success of extortion attempts, according to new research, with some going as far as offering victims payment extension schemes. 

Analysis from Palo Alto Networks’ Unit 42 found that the Medusa group has started to provide victims with an expanded range of options once their data is first posted on its dedicated leak site, and is also leaking data via alternative platforms including public Telegram channels.

Victims are now able to pay to extend the timeframe after which their data will be leaked, with the standard fee listed at $10,000 in the report. Companies can also pay to have their data deleted before it’s published, or they can opt to download the data themselves. 

The exact fees being charged to victims has not been established, with Unit 42 analysts reporting to have observed the group negotiating with victims over the exact amounts. 

The new ‘choices’ offered by the Medusa group were unveiled on its dedicated dark web leak site, the ‘Medusa Blog’. Unit 42’s report noted the launch of the leak site in early 2023 was an early indicator of the group’s “marked escalation in its activities”. 

Other new flourishes to the site include a big countdown timer displaying how long organizations have before their stolen data is published, a view counter showing the number of visitors to the leak site, and tags revealing the name and a description of the victim.

These additions are all aimed at ratcheting up the pressure on victims to capitulate to the group’s demands, researchers said.

Ransomware gangs are on a PR push

Not to be confused with the similarly named MedusaLocker that has been available since 2019, the Medusa group’s RaaS platform has been active since late 2022, according to the report.

The gang rose to notoriety after a spate of attacks targeting Windows environments. 

In the summer of 2023 the group launched a huge ransomware attack on the Minneapolis Public School (MPS) District, where it leaked students’ psychological reports and abuse allegations after the MPS refused to pay the $1 million ransom.

Recently, the Medusa blog has added new promotional videos exhibiting stolen files from a compromised organization with the title ‘Medusa Media Team’, speculated to be specifically working on increasing the gang’s media coverage in the the report.


2023 ThreatLabz state of ransomware report

(Image credit: Zscaler)

Learn about what will shape future ransomware defense strategies


The introduction of the dedicated team tasked with managing the gang’s brand demonstrates it sees value in using public relations to amplify the impact of their leaks and ultimately add weight to their extortion demands.

Medusa’s new promotional push involves using other communication channels that are more easily accessible to further improve the reach of the group’s leaks.

The report highlighted the group’s use of a public Telegram channel labeled “information support” to publicize and release stolen data, allowing for exfiltrated data to be shared more easily by interested parties.

The Telegram channel was used to announce the release of the group’s new leak site but Unit 42 could not confirm if the channel’s owner was affiliated with the group.

Solomon Klappholz
Staff Writer

Solomon Klappholz is a Staff Writer at ITPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.