The Medusa variant has carried out hundreds of attacks across industries, the FBI warns, along with CISA and MS-ISAC
A program has taken hundreds of victims’ data hostage for ransom — and others could be next, according to a warning from several government agencies.
Medusa, a “ransomware-as-a-service variant used to conduct ransomware attacks,” has claimed over 300 known victims within “critical infrastructure sectors” as of February, warns a March 12 cybersecurity advisory published by several agencies: the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
From 2021 to now, the ransomware-as-a-service provider has used common ransomware techniques like phishing and “exploiting unpatched software vulnerabilities” across medical, education, legal organizations and more, the advisory warns.
Originally operating as a closed ransomware variant, Medusa has changed a lot since it first cropped up on the scene nearly four years ago, the agencies add, explaining that it’s grown — just like the techniques required to thwart it.
“While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers,” the advisory states. “Both Medusa developers and affiliates — referred to as ‘Medusa actors’ in this advisory — employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.”
Both developers and Medusa affiliates (or “actors,” as the advisory phrases it) employ the same double extortion ransom model, encrypting data from victims, holding it hostage and threatening to leak it if a ransom is not paid.
To prevent ransomware attacks like Medusa’s, the agencies warn anyone using webmail services like Gmail and Microsoft Outlook, as well as Virtual Private Networks (VPNs), to start using multifactor authentication — which, via text, email or an app, sends a security code that must be inputted to access the relevant account.
The simple technique adds a “critical, additional layer of security to protect assets accounts whose credentials have been compromised,” according to the CISA.
The federal agencies also advise anyone potentially vulnerable to ransomware activity like Medusa’s attacks to take several other precautionary measures — including checking operating systems and software to ensure everything is properly patched and up to date.
The agencies also instruct organizations to store copies of sensitive or crucial information on physically separate and secure locations, such as hard drives or other storage devices, should recovery become necessary in the wake of an attack.
The full advisory goes more in depth about how to prevent attacks, but other advised steps for organizations — and the public at large — include segmenting networks and requiring VPNs for remote access.
And, should someone fall victim to a Medusa or a similar ransomware attack, the FBI, CISA, and MS-ISAC “do not encourage paying ransoms as payment does not guarantee victim files will be recovered,” the agencies stated in the advisory.
“Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” they continued, adding that regardless of whether ransom has been paid, ransomware incidents should be reported to the FBI or CISA.
By Bailey Richards – People
