The FBI is warning users of popular email services such as Outlook and Gmail that they could be subject to cyberattacks by ransomware called Medusa, which has impacted more than 300 victims from a number of sectors, including technology, legal, medical and manufacturing.
Medusa, a ransomware-as-a-service that was first identified in June, was spotted as recently last month, according to an advisory released last week by the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC).
“Both Medusa developers and affiliates—referred to as ‘Medusa actors’ in this advisory—employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid,” the agencies said in the March 12 advisory.
Medusa developers normally recruit initial access brokers in marketplaces and cybercriminal forums, paying them between $100,000 and $1 million with an opportunity to solely work for a hacking organization. Those brokers are known to use common techniques like phishing campaigns and exploiting unpatched software vulnerabilities, according to the advisory.
“The ransom note demands victims make contact within 48 hours via either a Tor browser-based live chat, or via Tox, an end-to-end encrypted instant-messaging platform,” the agencies wrote. “If the victim does not respond to the ransom note, Medusa actors will reach out to them directly by phone or email.”
A victim was extorted three times in one case, according to an FBI investigation. The victim was contacted by another Medusa actor who contended that the main hacker stole the ransom amount and asked for another payment.
The FBI, CISA and MS-ISAC outlined some steps users can take to protect themselves from Medusa ransomware.
Users should protect all accounts with passwords, ideally having longer passcodes that are changed often. Multifactor authentication should be in place.
Copies of sensitive data, in the form of hard drives, the cloud and storage devices, should be developed for recovery. Users should also have offline backs of data that ideally are encrypted. The operating systems of devices should be up to date.
If users open phishing links or attachments, they should not simply ignore the step, according to Ryan Kalember, the chief strategy officer at security firm Proofpoint.
“That is often the first reaction, and it is not ideal,” he told The Washington Post. “When you fall for something, the attacker still has some window of time where they have to figure out what they’ve just got and whether it’s even worth taking advantage of.”
