How to Dodge the Medusa Ransomware Trap

A serious warning has been issued by federal authorities. They are alerting individuals and organizations to be on the lookout for a dangerous ransomware campaign. This campaign has recently added hundreds of new victims to its list. The culprit is Medusa, a particularly nasty form of ransomware. The FBI, CISA, and MS-ISAC have teamed up to provide details on how these attacks unfold and how people can shield themselves from them. Medusa is a ransomware-as-a-service (RaaS) variant. It first appeared in June 2021. This type of ransomware targets critical infrastructure organizations. These include sectors like medical, education, legal, insurance, technology, and manufacturing. The developers of Medusa use an affiliate model. They hire out the work to affiliates who carry out the actual attacks. Since last month alone, developers and affiliates have hit more than 300 victims. This shift to an affiliate model means that the developers focus on ransom negotiations and other actions, while the affiliates do the dirty work. The affiliates have two main methods to compromise a targeted organization. The first is through phishing campaigns. The second is by exploiting unpatched software vulnerabilities. Once they gain initial access, they use various tools to advance further. They scan for vulnerable users, systems, and open ports. They compile lists of network and file resources. They move laterally through the network to find files that can be stolen and encrypted. They use remote access software and other tools to gain system-level privileges. Throughout the attack, they also work to cover their tracks and evade detection. They may exploit vulnerable drivers to kill endpoint detection and response tools. They use utilities to skirt detection when accessing files for encryption. They delete command history to wipe their tracks.

Medusa employs a double-extortion model. This means the stolen data is not only encrypted but the criminals also threaten to release the data publicly unless the ransom is paid. Victims are given a 48-hour window to respond to the ransom note. If they do not comply, the attackers will contact them by phone or email. A data leak site lists the ransom demands with a countdown until the information is released publicly. Even before the countdown ends, Medusa promotes the sale of the stolen data to interested buyers. Victims can pay $10, 000 in cryptocurrency to add another day to the timer. The reported culprit behind Medusa is a group called Spearwing. Since early 2023, the group has listed almost 400 victims on its data leak site. The actual number of victims is likely much higher. Attackers using Medusa have demanded ransoms ranging from as low as $100, 000 to as high as $15 million. So, how can you protect yourself from Medusa and other ransomware variants? The joint advisory offers several tips, mostly geared toward large organizations. First, patch known and critical security vulnerabilities. Make sure your operating systems, software, and firmware are all patched and up to date. Segment your networks to limit attackers who compromise one segment or device from doing the same to other segments and devices. Filter network traffic to prevent unknown or untrusted accounts and individuals from accessing remote services on your internal systems. Disable unused ports to ensure that attackers won't be able to compromise your network through an open and vulnerable port. Set up a recovery plan to protect critical data. Store multiple copies of sensitive or proprietary data in a location that's physically separate and segmented from your primary network. Enable multifactor authentication for all accounts and services that access webmail, VPNs, and critical systems. Monitor for unusual network activity. Use tools that can log and report all network traffic to look for and alert you to unusual or abnormal activity, including lateral movement on your network.

Actions