FBI and CISA Warn of Global Ransomware Threat Employing ‘Double Extortion Model’
The notification urges organizations to update their software, operating systems, and firmware to safeguard against cyberattacks.
Several federal agencies in the U.S. have released a collaborative advisory alerting about Medusa, a ransomware-as-a-service (RaaS) cyber threat that emerged in June 2021.
RaaS is an economic model where developers offer ransomware tools to third parties who then execute attacks on designated targets.
The sectors targeted by Medusa encompass technology, healthcare, insurance, manufacturing, legal, and educational industries.
The advisory specified that Medusa actors—those who develop and use the service—employ a “double extortion model, in which victims are required to pay to decrypt their files and avert further exposure” of the stolen information.
“The ransom note instructs victims to get in touch within 48 hours either through a Tor browser-based live chat or using Tox, a secure instant messaging platform.”
Related Stories
“If the victim fails to respond to the ransom demand, Medusa actors will follow up directly via phone or email,” added the agencies.
The collaborative advisory comes from CISA, the FBI, and the Multi-State Information Sharing and Analysis Center, aimed at distributing known tactics, methodologies, and pertinent information concerning Medusa.
Medusa operates a data leak site that reveals details about their victims and the remaining time for them to settle the ransom, along with links to cryptocurrency wallets.
During the countdown period, Medusa also promotes the stolen data for sale to interested buyers. To extend the countdown by a single day, victims usually need to pay $10,000 in cryptocurrency.
“FBI investigations have shown that after settling the ransom, one victim was contacted by a different Medusa actor who claimed the original negotiator had appropriated the ransom already paid.” This actor then “demanded half of the payment be remitted again to provide the ‘true decryptor’—suggesting a potential triple extortion scheme,” according to the advisory.
To protect themselves from Medusa, organizations must address known vulnerabilities in their systems, as advised by the agencies. This also involves updating firmware, software, and operating systems.
All network accounts that utilize password logins must comply with the standards set by the National Institute of Standards and Technology.
“In particular, enforce long password requirements for employees and consider avoiding frequent password changes, as these may compromise security,” the agencies recommended.
The majority of Medusa’s victims are located in the United States, Canada, France, the United Kingdom, Australia, and Italy.
There is no evidence linking Medusa to a previous group or indicating any rebranding. Medusa seems to operate independently, utilizing its own infrastructure, as noted by Barracuda.
Threat actors exploit publicly available code to take advantage of “common vulnerabilities and exposures” in their targets, allowing them access to servers. Their targets include critical infrastructure, government networks, healthcare, and technology firms.
