[MEDUSA] – Ransomware Victim: ATIRG
NOTE: No files or stolen information are exfiltrated, downloaded, taken, hosted, seen, reposted, or disclosed by RedPacket Security. Any legal issues relating to the content should be directed at the attackers, not RedPacket Security. This blog is an editorial notice informing that a company has fallen victim to a ransomware attack. RedPacket Security is not affiliated with any ransomware threat actors or groups and will not host infringing content. The information on this page is automated and redacted whilst being scraped directly from the MEDUSA Onion Dark Web Tor Blog page.
AI Generated Summary of the Ransomware Leak Page
ATIRG (Association pour le Traitement de l’Insuffisance Rénale en Guyane) is a non-profit medical organization based in French Guiana that provides dialysis treatment and kidney care for patients with chronic renal failure. Established in 1981, ATIRG operates autodialysis centers in Cayenne, Kourou, and Saint-Laurent-du-Maroni, supporting patients in managing their own dialysis under professional supervision. The leak page identifies ATIRG as a ransomware victim and attributes the incident to a Medusa-affiliated operation. The post is dated October 22, 2025 at 16:41:55, which is presented as the publication date of the leak entry. The page indicates a claim URL is present, suggesting a ransom-related link exists on the page, though the actual URL is not reproduced in the accessible data. Access to the full content appears gated behind a CAPTCHA requiring human verification. The headquarters address is listed in the text but has been redacted for privacy in this public summary; the material confirms that the organization is based in Cayenne, French Guiana.
Metadata accompanying the leak post shows no visible images, screenshots, or downloadable files linked to ATIRG, with image_count reported as zero and downloads_present as false. There is no explicit statement in the provided excerpt about whether the attack encrypted data or exfiltrated information, nor is there a stated ransom figure. The presence of a claim URL implies the attackers intend to link to additional notes or data, but no content is shown here. The post’s date provided is the post date (October 22, 2025, 16:41:55), and there is no corroborating compromise date available in the visible material. Given the absence of attached files or explicit data-loss details in the excerpt, the full scope of ATIRG’s compromise remains unconfirmed in the accessible portion; CTI monitoring should focus on any updates to the leak page, the emergence of associated ransom notes, and any released data linked by the claim URL. The victim’s identity—ATIRG—remains the central focus of this report.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
