Medusa Ransomware Hits Mississippi's Largest Hospital — and a Major New Jersey County

In late February 2026, staff at the University of Mississippi Medical Center (UMMC) — the state's only Level I trauma center and only children's hospital — found themselves doing something no modern hospital should ever have to do: running an entire medical institution on paper and pen.

The culprit was a ransomware attack that plunged one of the South's most critical healthcare systems into a nine-day digital blackout. On March 13, 2026, the Medusa ransomware gang stepped forward to claim responsibility — and issued an $800,000 ransom demand, threatening to publish stolen patient and institutional data by March 20.

Who Was Hit?
UMMC is not just Mississippi's largest hospital — it is the backbone of the state's healthcare infrastructure. The organization employs 10,000 people and houses the state's only children's hospital, its only Level I trauma center, its only Level IV neonatal intensive care unit, and its only organ transplant programs. An attack on UMMC isn't merely a business disruption — it directly threatens lives.

The attack began in late February and sent shockwaves through the system. All 35 of UMMC's clinic locations were forced to close. The cancer infusion center — which serves patients who cannot simply "reschedule" without serious health consequences — had to pause and reorganize care. Emergency departments remained open, but staff were forced to manage complex, time-sensitive medical operations using analog methods.

Attack Timeline

Late February 2026
Cyberattack begins at UMMC. Systems go dark. All 35 clinic locations are closed. Cancer infusion center reschedules patients. Staff pivot to paper-based workflows.

March 2, 2026
UMMC fully reopens. FBI and DHS-assisted recovery effort concludes. Hospital operations resume after nine days offline.

Early March 2026
Passaic County, NJ reports a malware attack. Phone lines and IT systems across government offices are taken offline. Nearly 600,000 residents are affected.

March 13, 2026
Medusa claims the UMMC attack. The gang demands $800,000 and threatens to publish stolen data by March 20 if unpaid.

March 18, 2026
Medusa claims the Passaic County attack. A second $800,000 ransom demand is issued. The county becomes the group's second major victim in weeks.

Who Is the Medusa Ransomware Gang?
Medusa is not a new threat actor. The group emerged in 2021 and has steadily built a reputation for targeting high-impact public institutions — particularly healthcare organizations and municipal governments — across the United States.

Medusa Ransomware: Key Facts
Active since 2021; targets primarily U.S. healthcare, education, and government sectors
Believed to be based in Russia, based on avoidance of Commonwealth of Independent States targets, Russian-language forum activity, and Cyrillic script in operational tools
Employs double extortion: encrypting systems AND threatening to leak stolen data
CISA issued an advisory (AA25-071A) warning organizations about Medusa's tactics, techniques, and procedures
Has claimed attacks on multiple ambulance providers, hospital networks, and county governments
Cybersecurity experts believe the Medusa operation is run out of Russia. The group consistently avoids attacking organizations in Commonwealth of Independent States countries — a pattern commonly associated with Russian-linked threat actors operating with implicit state tolerance. Their tools have been found to contain Cyrillic script, and the group's members communicate on Russian-language dark web forums.

The Second Target: Passaic County, New Jersey
The same week Medusa claimed the UMMC attack, the group also announced responsibility for a cyberattack on Passaic County, New Jersey — home to nearly 600,000 residents. The county had already disclosed a "malware attack" roughly two weeks prior that took down phone lines and IT systems across government offices.

As with UMMC, Medusa demanded exactly $800,000 — a figure that may reflect the group's consistent pricing strategy for high-profile, high-pressure targets that are likely to pay.

Why Hospitals Are Prime Ransomware Targets
The UMMC attack fits a deeply troubling pattern. Healthcare organizations have consistently ranked among the most-targeted sectors for ransomware attacks, and the reasons are straightforward: they operate on life-critical systems that cannot tolerate downtime, they often run outdated or under-patched infrastructure, and they are under enormous pressure to restore services quickly — which translates directly into willingness to pay.

The stakes at UMMC were amplified by the hospital's unique position. As Mississippi's only organ transplant center and only Level IV NICU, disruption to its systems carries life-or-death consequences that a disruption to, say, a retail company simply does not.

What Should Organizations Do Right Now?
CISA has issued Advisory AA25-071A specifically addressing the Medusa ransomware threat. Organizations — particularly in healthcare and local government — should treat this as a priority action item.

Recommended Mitigations

Review and apply CISA Advisory AA25-071A mitigations immediately
Patch internet-facing systems and VPNs — Medusa is known to exploit known vulnerabilities for initial access
Implement and test offline data backups that cannot be encrypted or deleted by a ransomware actor
Segment networks to prevent lateral movement after initial compromise
Train staff on phishing and social engineering — common initial access vectors
Develop and regularly test an incident response plan, including analog fallback procedures
Enable multi-factor authentication across all remote access and email systems

The Bigger Picture
The Medusa attacks on UMMC and Passaic County are not isolated incidents — they are part of a sustained, strategic campaign by a well-resourced ransomware operation to target the institutions that communities depend on most. Hospitals cannot go offline. County governments cannot stop serving residents. That vulnerability is precisely the leverage these groups exploit.