The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), has released a joint cybersecurity advisory warning organizations about the escalating threat posed by the Medusa ransomware.
Since its emergence in 2021, Medusa has targeted over 300 victims across various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing.
What is Medusa ransomware?
Medusa operates as a ransomware-as-a-service (RaaS) model, allowing cybercriminals to lease its infrastructure for malicious activities.
Initially a closed operation, Medusa has transitioned to an affiliate-based model, maintaining centralized control over crucial operations like ransom negotiations. Attackers employ a double extortion strategy, encrypting victim data and threatening to publicly release it if the ransom is unpaid.
Attack vectors and techniques
Medusa actors leverage common ransomware tactics, including phishing campaigns and exploiting unpatched software vulnerabilities.
They leverage living-off-the-land (LotL) techniques, using legitimate tools within the victim’s environment to escalate privileges and move laterally across networks. At least one victim reported a “triple extortion” attempt, where an affiliate claimed a negotiator had stolen a paid ransom, demanding an additional payment for the true decryptor.
Recommendations for organizations
The Medusa ransomware presents a significant and evolving threat to critical infrastructure sectors. Organizations must proactively implement robust cybersecurity measures to defend against such attacks.
To mitigate the risk of Medusa ransomware attacks, CISA and the FBI recommend the following measures:
- Update systems regularly: Ensure operating systems, software, and firmware are patched and up to date to close known vulnerabilities.
- Implement network segmentation: Divide networks into segments to restrict lateral movement by attackers, limiting the potential impact of a breach.
- Enforce multi-factor authentication (MFA): To add an extra layer of security against unauthorized access, MFA should be required for all services, especially webmail and virtual private networks (VPNs).
- Disable unnecessary command-line access: Limit command-line and scripting activities to reduce the effectiveness of attackers’ LotL techniques.
- Maintain offline backups: Store critical data backups offline to ensure recovery in case of an attack, preventing data loss and reducing downtime.
Authorities strongly discourage paying ransoms, as it does not guarantee data recovery and may encourage further criminal activity. Organizations should report ransomware incidents to the FBI or CISA, regardless of whether a ransom is paid, to assist in tracking and combating these threats.
Learn the best ways to prevent ransomware and keep your sensitive data safe from prying eyes.
