Medusa Ransomware Attack on PMUSA: The $1.2 Million Ransom to Prevent Data Exposure

Medusa Ransomware Attack on PMUSA: The $1.2 Million Ransom to Prevent Data Exposure 1

Among the latest victims listed on the .onion site by the Medusa ransomware group is Prestige Maintenance USA (PMUSA), a prominent U.S. company specializing in building maintenance and janitorial services. Headquartered in Plano, Texas, and employing more than 3,000 people, the company provides services across much of the United States.

The Medusa group is demanding a ransom of $1,200,000 in bitcoin for the deletion of files exfiltrated from PMUSA’s servers. The deadline for payment is set for January 24. After this date, approximately 300 GB of company data (an estimated amount of the stolen information) will be made public through the group’s Telegram channel.

Medusa Ransomware Attack on PMUSA: The $1.2 Million Ransom to Prevent Data Exposure 2

Screenshot and redaction by SuspectFile.com

Medusa has already posted 31 images as proof files on their blog within the Tor network. Most of these documents are administrative in nature, but they also include copies of passports, driver’s licenses, identification cards, and Social Security Numbers (SSNs).

We have had the opportunity to examine the file tree available on Medusa’s blog, which includes over 25,000 files. In addition to the previously mentioned documents, we identified further sensitive data related to PMUSA employees, including:

    • First and last names of employees
    • Payroll Schedule
    • Employee Referral Report Payout
    • Benefits
    • Contracts
    • Personal and business email accounts
    • Human resources documents
    • Personal insurance documents – Health Insurance Enrollment (Cigna Corporation, Colonial Life & Accident Insurance Company, Guardian Insurance, Sun Life Financial, UHC, etc.)
    • Medical certification of employee work restrictions
    • Drug Screens
    • Termination Forms

Medusa Ransomware Attack on PMUSA: The $1.2 Million Ransom to Prevent Data Exposure 3

Screenshot and redaction by SuspectFile.com

SuspectFile.com, before publishing this article, attempted to contact 6 employees from PMUSA’s administrative office, requesting an official statement regarding the incident. So far, no response has been received, and no information about the data breach affecting the employees has been published on the company’s website.