FBI warns that the Medusa variant has conducted hundreds of attacks across industries in collaboration with CISA and MS-ISAC
A program has held hundreds of victims’ data hostage for ransom and others could be next, according to a warning from multiple government agencies.
Medusa, a “ransomware-as-a-service variant used to conduct ransomware attacks,” has hit more than 300 known victims in “critical infrastructure areas” as of February, warned in a March 12 cybersecurity advisory published by multiple agencies: the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center. (MS-ISAC).
The advisory warns that since 2021, ransomware-as-a-service providers have used common ransomware techniques such as phishing and “exploiting unpatched software vulnerabilities” in medical, education, legal organizations, and other sectors. “While Medusa has since begun using an affiliate model, critical operations such as ransom negotiation are still handled centrally by the developers,” the advisory said. “Both Medusa developers and affiliates referred to in this advisory as ‘Medusa actors’ — use a double extortion model, where they encrypt the victim’s data and threaten to publicly release the extracted data if the ransom is not paid.” Both the developers and Medusa’s collaborators (or “actors,” as the advisory calls it) use the same double extortion ransom model, encrypting data from victims, holding it hostage and threatening to leak it if the ransom isn’t paid.
To prevent ransomware attacks like Medusa’s, the agencies warn anyone using webmail services like Gmail and Microsoft Outlook, as well as virtual private networks (VPNs), to start using multifactor authentication — which sends a security code via text, email, or app that must be input to access the relevant account.
According to CISA, this simple technique “adds a critical, additional layer of security to protect asset accounts whose credentials have been compromised.”
The federal agencies advise anyone potentially vulnerable to ransomware activity like Medusa’s attacks to take several other precautionary measures, including checking operating systems and software to ensure everything is properly patched and up to date.
The agencies also instruct organizations to store copies of sensitive or critical information in physically separate and secure locations, such as on hard drives or other storage devices, in case recovery becomes necessary in the wake of an attack.
The full advisory goes into more detail about how to prevent attacks, but other advised steps for organizations and the general public include segmenting networks and requiring VPNs for remote access.
And, if a person falls victim to a Medusa or similar ransomware attack, the FBI, CISA, and MS-ISAC “do not encourage paying the ransom because the payment does not guarantee that the victim’s files will be recovered,” the agencies said in the advisory.
“In addition, payments may encourage adversaries to target additional organizations, engage in the distribution of ransomware to other criminal actors, and/or fund illicit activities,” they said, adding that whether or not a ransom has been paid, ransomware incidents should be reported to the FBI or CISA.
NTS should be reported to the FBI or CISA.
More Blogs: Meta AI App, Google Translate App
