UK Healthcare provider HCRG battles Medusa ransomware threat

Medusa ransomware gang is demanding $2 million

HCRG Care Group, a private healthcare and social services provider in the United Kingdom, has been targeted by the Medusa ransomware gang.^[1] The attackers claim to have stolen 2.3 terabytes of sensitive data and are demanding a $2 million ransom to prevent the information from being leaked. The breach was first reported in early February 2025, with a payment deadline set for February 27.

Previously known as Virgin Care and now owned by Twenty20 Capital, HCRG delivers community healthcare services for the NHS and local authorities across the UK.^[2] The organization employs around 5,000 staff and provides care to approximately half a million patients. The stolen data allegedly includes personal information, medical records, passport copies, birth certificates, and staff schedules.

HCRG confirmed the incident, stating that they are investigating with external cybersecurity experts. They also reported the breach to the UK Information Commissioner’s Office and other regulators. Despite the attack, the company assured that healthcare services continue to operate without disruption.

By now, ransomware gangs' extortion tactics are all about exposition of the stolen data

The Medusa ransomware gang, known for its aggressive extortion strategies,^[3] has offered HCRG three options: pay $2 million to delete the data, sell the stolen files to a buyer for the same amount, or face a full leak online if the ransom is not paid by February 27. The group also offered to extend the deadline for $10,000 per day, keeping the pressure on negotiations.

To prove the authenticity of the breach, Medusa released 35 pages of sensitive documents, including government-issued IDs and background check details. HCRG has not disclosed how the attackers gained access, but Medusa often exploits unpatched software vulnerabilities, particularly in remote desktop applications.

The situation remains tense as negotiations appear stalled, with HCRG unlikely to meet the ransom demand. Cybersecurity experts warn that paying ransom does not guarantee the safe return of data, as criminals may still sell or leak the information after payment. This leaves the organization facing the difficult task of protecting affected individuals while managing ongoing healthcare operations.

This attack follows a similar incident in January, when Medusa targeted Gateshead Council in the UK, demanding $600,000. The council refused to pay, resulting in the public release of their stolen data. Security experts warn that paying ransom offers no guarantee, as attackers may still sell the data or target the organization again.

What is Medusa ransomware and what is known about its operators?

Medusa first appeared in late 2022 and has since become popular for targeting Windows-based systems. It primarily targets the healthcare, education, manufacturing, technology, and retail industries. The group operates a “living off the land” strategy, using legitimate system tools in order to avoid detection by traditional security software.

Medusa operates through its dark web platform, the “Medusa Blog,” where it lists victims and shares stolen data if ransom demands are unmet.^[4] The group also uses Telegram to distribute leaked information and communicate with potential buyers.

The attack on HCRG highlights the ongoing risk faced by healthcare providers, who hold valuable personal and medical data. Experts advise against paying ransoms, as studies show that 78% of organizations that paid were attacked again. For HCRG, the focus now remains on investigation, containment, and ensuring patient services remain unaffected.