Medusa attacks Northeast Ohio Neighborhood Health Services

Incident Date:

April 20, 2024

World map



Medusa attacks Northeast Ohio Neighborhood Health Services


Northeast Ohio Neighborhood Health Services




Cleveland, USA

Ohio, USA

First Reported

April 20, 2024

NEON Attacked by Medusa Ransomware Gang


Northeast Ohio Neighborhood Health Services (NEON) has been attacked by the ransomware gang Medusa. NEON is a Federally Qualified Health Center (FQHC) network of community health centers dedicated to improving access to health care and reducing health disparities in Greater Cleveland. Its mission is to provide quality, personalized, and family-oriented comprehensive healthcare services to Northeast Ohio residents at a reasonable cost, with professional, dedicated employees, while employing the most current healthcare practices that are responsive to community needs for the prevention and treatment of disease.

Medusa Ransomware

Medusa is a Ransomware as a Service (RaaS) that emerged in the summer of 2021 and has become one of the more active RaaS platforms. The attack volumes were inconsistent in the first half of 2023, with a resurgence of activity in the latter half of the year. The attackers employ various tactics to avoid detection and hinder recovery, such as restarting infected machines in safe mode, deleting local backups, disabling startup recovery options, and deleting VSS Shadow Copies to prevent encryption rollback.

Attack Patterns

Medusa intensified its attacks towards the end of 2022 and remained active in the first quarter of 2023, although there has been a decrease in activity in the second quarter. The ransom demands by Medusa are typically in the millions of dollars, depending on the target organization's financial capabilities. The ransomware is spread through malicious email attachments (macros), torrent websites, or malicious ad libraries. Medusa is known to target various industries, with a focus on healthcare, pharmaceutical companies, and public sector organizations.

Double Extortion Scheme

Medusa employs a double extortion scheme where they exfiltrate some data before encrypting it. However, the affiliate attackers who carry out the attacks on behalf of Medusa are only offered up to 60% of the ransom amount if paid.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.