Medusa Ransomware cyberattacks grow as FBI issues warning. How to stay protected

10 hours ago 1

The FBI and cybersecurity officials have joined forces to warn against the threats of ransomware.

On March 12, the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint cybersecurity advisory sharing information about Medusa Ransomware.

Medusa is a ransomware-as-a-service provider that has recently impacted over 300 victims through common techniques such as phishing. It was first identified in June 2021.

The advisory is a part of an ongoing #StopRansomware initiative, which highlights ransomware variants and threat actors, as well as their observed tactics, techniques and procedures.

Here's what you should know about Medusa and how to protect yourself and your organization against it.

Medusa actors encrypt and threaten to release victim data

Medusa originally operated as a closed ransomware variant, meaning everything was done and controlled by the same group of cyber threat actors.

According to the FBI, Medusa has since shifted toward an affiliate model, where both developers and affiliates "employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid."

Affiliates, or initial access brokers, are typically recruited in cybercriminal forums and marketplaces. Common techniques used by the affiliates include phishing campaigns and exploiting unpatched software vulnerabilities.

How to protect your organization from Medusa Ransomware

According to the advisory, here are some actions organizations should take today to protect against Medusa Ransomware threats:

Require VPNs or Jump Hosts for remote access.
Monitor for unauthorized scanning and access attempts.
Require employees to use long passwords and consider not requiring frequently recurring password changes, which can weaken security.
Require multi-factor authentication for all services to the extent possible, especially for Gmail and email, virtual private networks, and accounts that access critical systems.
Keep all operating systems, software, and firmware up to date.
Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (e.g., hard drive, storage device, the cloud).
Segment networks to prevent the spread of ransomware.
Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool. To aid in detecting the ransomware, implement a tool that logs and reports all network traffic, including lateral movement activity on a network.