FBI Sounds Alarm on Medusa Ransomware Cyberattack: Here's How Organizations FBI Sounds Alarm on Medusa Ransomware Cyberattack: Here's How Organizations
Mika Baumeister/Unsplash

The FBI has issued a severe notice regarding Medusa ransomware, which is a fast-growing cyber attack that has already affected hundreds of victims from several sectors.

Organizations in critical infrastructure sectors such as healthcare, education, legal, insurance, technology, and manufacturing are warned to take prompt action to secure their data and systems.

FBI Warns About the Medusa Ransomware

The Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint cybersecurity advisory over a recent prominence in Medusa ransomware. The advisory is part of CISA's #StopRansomware effort, which is designed to inform and alert users to new ransomware strains and threat actors.

Initially discovered in June 2021, Medusa has become a ransomware-as-a-service (RaaS) campaign. Initially, it was a closed ransomware strain operated by one group of cybercriminals. It has, however, transitioned to an affiliate-based model, where several attackers referred to as "Medusa actors" conduct ransomware attacks through a double extortion tactic.

What the ransomware attackers do here is encrypting victim data and also threatening to publish it online if ransom is not paid.

The Horrors Behind Medusa Ransomware

According to USA Today, the Medusa ransomware functions by using an extremely aggressive and structured attack model.

As per the advisory, victims are provided with a ransom note asking them to reach out to the attackers within 48 hours using a browser-based live chat or an end-to-end encrypted messaging platform. Medusa actors might escalate their threats by reaching out via email or telephone if they do not receive a response.

Medusa has a website that lists victims and features countdown timers for when stolen data will be made available to the public. Ransom values and payment details are listed on the website, together with direct links to the cryptocurrency wallets used for payments.

Furthermore, attackers provide a special option for victims by paying $10,000 in cryptocurrency to postpone the release of their data by one day. This approach puts additional pressure on victims and yields the highest profits for cybercriminals.

Critical Industries at Risk From Medusa Ransomware Attack

Since its appearance, Medusa has attacked several industries. The most vulnerable industry is healthcare. Hospitals and medical centers are at greater risk because of the sensitive character of patient information.

For instance, the Medusa ransomware attacked PhilHealth, the Philippines' state health insurer in 2023. According to Tech Times, millions of data from Filipino patients were leaked to various websites.

Education, technology and manufacturing, and legal and insurance industries are also affected by this dangerous ransomware.

How Organizations Can Protect Themselves from Medusa Ransomware

To help reduce the threat from Medusa ransomware, the FBI, CISA, and MS-ISAC advise taking the following steps:

Strengthen Remote Access Security

  • Require Virtual Private Networks (VPNs) or jump hosts for remote access.
  • Detect unauthorized scanning and access attempts on networks.

Enhance Authentication and Password Policies

  • Enforce strong, complex passwords and infrequent forced password changes, as frequent forced changes can reduce security.
  • Enforce multi-factor authentication (MFA) for all major services, including email and VPNs.

Keep Current Systems

  • Update operating systems, software, and firmware regularly to close vulnerabilities that ransomware takes advantage of.

Have a Strong Data Recovery Plan

  • Store multiple copies of sensitive information in physically isolated, segmented, and secure environments, like offline storage or cloud backups.
  • Test backup and recovery procedures regularly to restore rapidly after an attack.

Network Segmentation and Monitoring

  • Segment networks to restrict the spread of ransomware in the event of an attack.
  • Employ network monitoring tools to identify unusual activity and possible ransomware movement.
  • Implement tools that record and report all network traffic, assisting in the identification of lateral movements within a compromised network.

It's important to always be vigilant against ransomware attacks. Since it's 2024's biggest security threat, organizations and users need to be extremely careful when using an app, clicking a link online, or doing anything that might trigger ransomware exploitation.

Originally published on Tech Times