FBI, CISA Warns about the rise of Medusa Ransomware Attacks

In a joint alert, the Cybersecurity and Infrastructure Security Agency (CISA), FBI, and Multi-State Information Sharing Analysis Center (MS-ISAC) have issued a #StopRansomware advisory warning the public about Medusa ransomware attacks.

Medusa is a ransomware-as-a-service (RaaS) variant first observed in 2021. Since then, its developers and affiliates have targeted over 300 victims, including organizations across critical infrastructure sectors such as healthcare, law, education, insurance, technology, and manufacturing.

Evolution of Medusa Ransomware

Medusa initially operated as a closed ransomware variant, with its developers controlling all aspects of its development and operations. Over time, it transitioned to an affiliate model, though certain functions, such as ransom negotiations, remain under the developers’ control.

The developers demand ransoms ranging from 100,000 to 100,000 to 15 million, employing double extortion tactics by stealing data before encrypting victim networks. This approach increases pressure on victims to pay the ransom. Last week, researchers warned of a significant uptick in Medusa attacks over the past year.

Initial Access and Attack Techniques Medusa developers rely on initial access brokers (IABs) to infiltrate victims’ networks. These brokers, often recruited from cybercriminal forums and marketplaces, are offered between and 100 and 1 million to work exclusively for Medusa. They use phishing campaigns and exploit vulnerabilities to gain access to systems.

Once inside, Medusa affiliates employ living-off-the-land (LotL) techniques, leveraging legitimate tools for reconnaissance, detection evasion, data exfiltration, and lateral movement within compromised environments.

Mitigation Recommendations

To defend against Medusa ransomware, CISA, FBI, and MS-ISAC recommend the following measures:

Deploy Software Patches:

Regularly update systems to address known vulnerabilities.

Implement Network Segmentation:

Isolate critical systems to limit the spread of ransomware.

Block Access from Untrusted Sources:

Restrict access to services and networks from unknown or untrusted entities.

Adopt an “Assumed Breach” Mindset:

Shift focus from prevention to rapid detection, response, and recovery.

Dan Lattimer, Semperis area vice president for the UK & Ireland, emphasized the importance of these steps:

“Defenders have their hands full tackling the presence of Medusa. Mitigation recommendations, such as deploying software patches, network segmentation, and blocking access to services from unknown or untrusted sources, will help organizations improve their operational resilience. Additionally, adopting an ‘assumed breach’ mindset ensures companies focus on detecting, responding, and recovering quickly, rather than solely preventing breaches.”

Conclusion

The Medusa ransomware campaign highlights the growing sophistication of cybercriminals and the increasing threat to critical infrastructure. By implementing proactive security measures and adopting a resilient mindset, organizations can better defend against such attacks and minimize the impact of ransomware incidents. Staying vigilant and prepared is essential in the face of evolving cyber threats.