- Shift-Left Testing with Testcontainers | Docker
- I replaced my TV with a 4K UST projector - and it was an upgrade in almost every way
- This thumb-sized accessory doubled my PC storage - here's how it works
- SUSE expands AI tools to control workloads, LLM usage
- CISA, FBI Warn of Medusa Ransomware Impacting Critical Infrastructure
CISA, FBI Warn of Medusa Ransomware Impacting Critical Infrastructure
The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint advisory, warning that the Medusa ransomware operation has impacted over 300 victims across critical infrastructure sectors.
Affected industries include healthcare, education, legal, insurance, technology and manufacturing.
A Growing Threat
Medusa, a ransomware-as-a-service (RaaS) variant first identified in June 2021, employs a double extortion model – encrypting victim data while also threatening to publicly release exfiltrated data if the ransom is not paid. Despite its name, Medusa ransomware is unrelated to MedusaLocker or the Medusa mobile malware variant.
The FBI’s investigation found that Medusa actors gain initial access through phishing campaigns and by exploiting unpatched software vulnerabilities, such as the ScreenConnect authentication bypass (CVE-2024-1709) and Fortinet EMS SQL injection flaw (CVE-2023-48788).
Once inside a network, they use legitimate administrative tools, including PowerShell and Windows Management Instrumentation (WMI), to evade detection, move laterally and deploy encryption payloads.
Increasing Sophistication
Medusa affiliates utilize various remote access tools such as AnyDesk, Atera and ConnectWise to infiltrate networks.
They also employ advanced techniques to evade detection, including obfuscated PowerShell scripts, disabling endpoint detection systems and leveraging reverse tunneling tools like Ligolo and Cloudflared.
A particularly alarming aspect of Medusa’s operations, CISA warned, is its extortion tactics.
Victims are pressured to pay within 48 hours via a Tor-based live chat or encrypted messaging platforms. If ignored, Medusa actors leak stolen data on their darknet site, offering it for sale before the countdown timer expires.
Reports suggest that even after a ransom is paid, victims may face additional extortion demands from different Medusa actors.
FBI and CISA Recommendations
The advisory strongly recommends that organizations implement mitigations to prevent falling victim to an attack, including:
- Keeping software updated and applying security patches
- Enforcing strong access controls and multi-factor authentication (MFA)
- Monitoring for unusual activity and restricting the use of remote desktop protocols (RDP)
- Implementing network segmentation to contain potential breaches
“This continues CISA’s long tradition of warning people about ransomware that spreads using social engineering, [which] does not suggest security awareness training as a primary way to defeat it,” noted Roger Grimes, a cybersecurity expert from KnowBe4.
“Social engineering is involved in 70-90% of all successful hacking attacks. [Ignoring this in their top recommendations] does a huge disservice […] Hackers must be laughing.”
Regardless, the FBI and CISA urged organizations to report Medusa ransomware incidents to law enforcement and refrain from paying ransoms, as doing so risks encouraging further attacks.
