Update, March 15, 2025: This story, originally published March 13, has been updated with expert comment from infosecurity professionals following the warning of Medusa ransomware attacks and the urgent FBI mitigation advice.
The Federal Bureau of Investigation has recently warned of weird ransomware attack threats delivered by the United States Postal Service, yes really, alongside a dangerous ransowmare campaign from so-called Ghost attackers, and some of the most sophisticated threats against Gmail users ever. Having previously also advised users to use two-factor authentication to mitigate such attacks, a newly published FBI industry alert has rolled the mitigation advice into one as ongoing attacks by the Medusa ransomware gang continue. Enable 2FA for webmail services such as Gmail and Outlook, as well as for VPNs, the FBI has warned. And enable it now. Here’s what you need to know.
FBI And CISA Issue Medusa Ransomware Industry Joint Alert
Medusa, a highly dangerous ransomware-as-a-service provider, known to have impacted at least 300 victims from the critical infrastructure sector since the campaign was first observed in June 2021, is known to employ both social engineering and unpatched software vulnerability exploitation during attacks. FBI investigations as recently as February have enabled intelligence agencies to assemble a dossier of tactics, techniques, and procedures, indicators of compromise, and detection methods associated with the threat actors.
In partnership with the U.S. Cybersecurity and Infrastructure Security Agency, the FBI has issued a joint March 12 cybersecurity advisory against the backdrop of attacks by the Medusa ransomware group. The full FBI alert, AA25-071A, goes into great depth regarding the technicalities of the Medusa operation. As such, it is of importance that this should be read by all cyber-defenders. However, for the purposes of this article I am going to focus on the attack mitigation advice offered by the FBI.
Expert Insights Following FBI Warning About Medusa Ransomware Campaigns
Ransomware-as-a-service is alive and well. That’s the takeaway from the FBI warning. “Medusa is an apt name for this attack, considering its multi-faceted and far-reaching impacts on various industries,” Tim Morris, chief security advisor at Tanium, said. Medusa mature and effective at exploitation, persistence, lateral movement, and concealment, Morris continued, which makes it “crucial for organizations to manage their estates properly, know where their assets are, and ensure they have robust defense-in-depth mechanisms in place.”
“Ransomware operators like Medusa focus on gaining leverage to extort organizations, Jon Miller, CEO and co-founder of Halcyon, said, “making critical infrastructure entities prime targets due to their heightened motivation to maintain uninterrupted services.” These groups, Miller explained, exploit security gaps, leveraging vulnerabilities to move laterally, escalate privileges, exfiltrate sensitive data and ultimately deploy their payloads. “Once inside a network,” Miller continued, “Medusa employs sophisticated strategies to maximize impact.” Specifically, the group executes base64 encrypted commands via PowerShell to avoid detection and utilizes tools like Mimikatz to extract credentials from memory, facilitating further network compromise. “They also leverage legitimate remote access software,” Miller warned, “including AnyDesk and ConnectWise, as well as tools like PsExec and RDP, to propagate across the network.” Designed to inflict maximum operational disruption, Medusa can terminate over 200 Windows services and processes, including those related to security software, Miller concluded.
Mitigating Medusa—FBI Says Enable 2FA For Webmail And VPNs Now
When it comes to the immediate, as in right now, actions that all organizations should be taking in order to mitigate the Medusa ransomware attack campaigns, the FBI has recommended the following:
- Require two-factor authentication for all services where possible, but in particular for webmail such as Gmail, Outlook and others, along with virtual private networks and any accounts that can access critical systems.
- Require all accounts with password logins to use long passwords and consider not requiring frequently recurring password changes, as these can weaken security.
- Retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location.
- Keep all operating systems, software, and firmware up to date. Prioritize patching known exploited vulnerabilities in internet-facing systems.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
- Monitor for unauthorized scanning and access attempts.
- Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems.
- Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
- Disable command-line and scripting activities and permissions.
- Disable unused ports.Despite FBI And CISA Advice, The Hackers Must Be Laughing
Not everyone is happy with the advice that has been given by the FBI and CISA with regard to the Medusa ransomware group threat. Take Roger Grimes, a data-driven defence evangelist at KnowBe4, who said that it continues a long tradition of “warning people about ransomware that spreads using social engineering, that then does not suggest security awareness training as a primary way to defeat it.” Grimes said that, in the experience of KnowBe4, social engineering is involved in 70% – 90% of all successful hacking attacks. Yet, despite the official alert noting that social engineering is one of the primary methods of distributing the ransomware threats, awareness isn’t mentioned in the 15 recommended mitigations. “It’s like learning that criminals are breaking into your house all the time through the windows and then recommending more locks for the doors,” Grimes said. Warning that such a continued misalignment between the ways we are most often attacked by threat actors and their malware programs and how we are told to defend ourselves enables hackers to continue to be successful, Grimes concluded that “the hackers must be laughing.”
