Medusa Ransomware Group Demands $800K, Threatens to Sell UMMC Data on Dark Web

Medusa, one of the dark web’s most active cybercrime groups, posted an $800,000 ultimatum on March 12 targeting the University of Mississippi Medical Center.

The gang claims to have swiped a massive trove of data from UMMC’s network during a ransomware attack it carried out on February 19.

That attackers destroy the health system for over a week, forcing clinics to close and pushing emergency services onto manual, paper-based operations.

UMMC has not confirmed whether hackers accessed or stole patient data, but Medusa is loudly claiming they did so.

Medusa Posts UMMC’s Data With a Ticking Clock

Medusa structured its dark web post like a grim auction. The gang gave UMMC three choices: pay $100,000 to extend the deadline, pay the full $800,000 ransom to have the data permanently deleted, or watch someone else pay $800,000 to buy it outright.

Cybersecurity researchers at Comparitech spotted and reported the posting, including screenshots the gang shared as proof of possession. The images show spreadsheets and charts that potentially carry sensitive information, though the exact contents remain difficult to confirm from what is visible.

The deadline Medusa set for UMMC’s response was March 20. UMMC has not publicly confirmed the legitimacy of the data trove, and the health system did not respond to earlier press inquiries asking whether hackers accessed protected health information during the breach.

This playbook, breach, post a countdown, threaten data leaks, is the same tactic Medusa used in its attack on Southwest C.A.R.E. Center, where the gang also threatened to publish stolen patient data unless the organization paid a ransom.

A Gang With a Long and Dangerous Track Record

Medusa is not a newcomer. The gang has operated since 2019 and built a reputation for hitting healthcare providers, government agencies, and public institutions hard.

Dark Web Sonar, a platform that tracks criminal activity on Tor, the network powering the dark web, credits Medusa with 201 ransomware attacks since 2024 alone. The gang’s operations span multiple countries and industries.

Researchers confirm that the UMMC attack marks Medusa’s first claimed breach of 2026, suggesting the group opened the year with a high-value target.

The identities of Medusa’s members remain unknown. What is known, however, is that the group follows a consistent and aggressive playbook: infiltrate, extract data, deploy ransomware, then post a public countdown to pressure victims into paying before their data goes to the open market.

What a Sale Could Mean for UMMC Patients

UMMC serves as Mississippi’s only academic medical center, handling a large volume of patients across the state. If Medusa’s claims hold up, the stolen data likely contains protected health information, the kind that bad actors use to run targeted phishing schemes, commit medical identity fraud, or sell in smaller batches across criminal networks.

The health system faces a tough position. Paying the ransom offers no guarantee that Medusa will destroy the data. Refusing means the gang could sell it to the highest bidder, scattering sensitive records across the dark web permanently. Cybersecurity experts consistently warn that ransomware payments rarely end the threat; they often invite repeat attacks.

For now, UMMC has stayed publicly quiet on Medusa’s posting. But with the March 20 deadline gone and no confirmed payment, the fate of the alleged data trove sits squarely in the hands of a criminal gang with more than 200 attacks already behind it, and no sign of slowing down.