The FBI issues mitigation advice as Medusa ransomware attacks continue.
Getty Images
Update, March 16, 2025: This story, originally published March 13, has been updated with another FBI cybersecurity warning as well as further expert comment from cybersecurity professionals following the alert regarding ongoing Medusa ransomware attacks and the urgent mitigation advice issued as a result.
The Federal Bureau of Investigation has recently warned of weird ransomware attack threats delivered by the United States Postal Service, yes really, alongside a dangerous ransowmare campaign from so-called Ghost attackers, and some of the most sophisticated threats against Gmail users ever. Having previously also advised users to use two-factor authentication to mitigate such attacks, a newly published FBI industry alert has rolled the mitigation advice into one as ongoing attacks by the Medusa ransomware gang continue. Enable 2FA for webmail services such as Gmail and Outlook, as well as for VPNs, the FBI has warned. And enable it now. Here’s what you need to know.
ForbesNew Warning As Microsoft 365 Attack Can Bypass Email SecurityBy Davey WinderFBI And CISA Issue Medusa Ransomware Industry Joint Alert
Medusa, a highly dangerous ransomware-as-a-service provider, known to have impacted at least 300 victims from the critical infrastructure sector since the campaign was first observed in June 2021, is known to employ both social engineering and unpatched software vulnerability exploitation during attacks. FBI investigations as recently as February have enabled intelligence agencies to assemble a dossier of tactics, techniques, and procedures, indicators of compromise, and detection methods associated with the threat actors.
In partnership with the U.S. Cybersecurity and Infrastructure Security Agency, the FBI has issued a joint March 12 cybersecurity advisory against the backdrop of attacks by the Medusa ransomware group. The full FBI alert, AA25-071A, goes into great depth regarding the technicalities of the Medusa operation. As such, it is of importance that this should be read by all cyber-defenders. However, for the purposes of this article I am going to focus on the attack mitigation advice offered by the FBI.
ForbesIdentity Theft Warning—Hidden Commands In 1 Billion Bluetooth ChipsBy Davey WinderExpert Insights Following FBI Warning About Medusa Ransomware Campaigns
Ransomware-as-a-service is alive and well. That’s the takeaway from the FBI warning. “Medusa is an apt name for this attack, considering its multi-faceted and far-reaching impacts on various industries,” Tim Morris, chief security advisor at Tanium, said. Medusa mature and effective at exploitation, persistence, lateral movement, and concealment, Morris continued, which makes it “crucial for organizations to manage their estates properly, know where their assets are, and ensure they have robust defense-in-depth mechanisms in place.”
“Ransomware operators like Medusa focus on gaining leverage to extort organizations, Jon Miller, CEO and co-founder of Halcyon, said, “making critical infrastructure entities prime targets due to their heightened motivation to maintain uninterrupted services.” These groups, Miller explained, exploit security gaps, leveraging vulnerabilities to move laterally, escalate privileges, exfiltrate sensitive data and ultimately deploy their payloads. “Once inside a network,” Miller continued, “Medusa employs sophisticated strategies to maximize impact.” Specifically, the group executes base64 encrypted commands via PowerShell to avoid detection and utilizes tools like Mimikatz to extract credentials from memory, facilitating further network compromise. “They also leverage legitimate remote access software,” Miller warned, “including AnyDesk and ConnectWise, as well as tools like PsExec and RDP, to propagate across the network.” Designed to inflict maximum operational disruption, Medusa can terminate over 200 Windows services and processes, including those related to security software, Miller continued.
Medusa’s encryption process employs AES-256 encryption, combined with RSA public key cryptography, to securely encrypt files, Miller said. “To hinder data restoration efforts, Medusa implements measures such as deleting Volume Shadow Copies, disabling startup recovery options, and removing local backups,” Miller added. In order to counter threats such as Medusa, Miller advised, critical infrastructure organizations have to bolster their defenses to withstand ransomware attacks without resorting to ransom payments or solely relying on backups. “Eliminating the incentive to pay is crucial in disrupting the ransomware industry’s financial model,” Miller concluded.
ForbesNow Ransomware Attackers Can Brute Force Your VPNs And FirewallsBy Davey WinderMitigating Medusa—FBI Says Enable 2FA For Webmail And VPNs Now
When it comes to the immediate, as in right now, actions that all organizations should be taking in order to mitigate the Medusa ransomware attack campaigns, the FBI has recommended the following:
- Require two-factor authentication for all services where possible, but in particular for webmail such as Gmail, Outlook and others, along with virtual private networks and any accounts that can access critical systems.
- Require all accounts with password logins to use long passwords and consider not requiring frequently recurring password changes, as these can weaken security.
- Retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location.
- Keep all operating systems, software, and firmware up to date. Prioritize patching known exploited vulnerabilities in internet-facing systems.
- Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
- Monitor for unauthorized scanning and access attempts.
- Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems.
- Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
- Disable command-line and scripting activities and permissions.
- Disable unused ports.Despite FBI And CISA Advice, The Hackers Must Be Laughing
Meanwhile, Dan Lattimer, an associate vice president at Semperis, looked to remind us that the FBI advisory should serve as another memory jogger of the fact that Medusa ransomware is highly persistent and has the potential to impact hundreds, if not thousands, of organizations. “Defenders have their hands full tackling the presence of Medusa,” Lattimer said, along with “the mitigation recommendations that include deploying software patches, network segmentation and blocking access to services from unknown or untrusted sources will help organisations improve their operational resilience.” Adopting an assumed breach position might be something of a worn-out record by now, but because companies operating under the assumption that their systems have been or will be compromised shifts the focus from preventing breaches to detecting, responding and recovering quickly, Lattimer argued, should not be overlooked. “Also, identity systems, most often Active Directory, are targeted in 90 percent of ransomware attacks,” Lattimer continued. Active Directory controls authentication and authorisation to applications and data, effectively holding the keys to the kingdom. “If attackers gain access to Active Directory,” Lattimer warned, “they can control any resources within an organisation.”
ForbesInternet Password Warning—50% Of Users At Risk From Reuse AttackBy Davey WinderFBI Warning Does Not Go Far Enough
Not everyone is happy with the advice that has been given by the FBI and CISA with regard to the Medusa ransomware group threat. Take Roger Grimes, a data-driven defence evangelist at KnowBe4, who said that it continues a long tradition of “warning people about ransomware that spreads using social engineering, that then does not suggest security awareness training as a primary way to defeat it.” Grimes said that, in the experience of KnowBe4, social engineering is involved in 70% – 90% of all successful hacking attacks. Yet, despite the official alert noting that social engineering is one of the primary methods of distributing the ransomware threats, awareness isn’t mentioned in the 15 recommended mitigations. “It’s like learning that criminals are breaking into your house all the time through the windows and then recommending more locks for the doors,” Grimes said. Warning that such a continued misalignment between the ways we are most often attacked by threat actors and their malware programs and how we are told to defend ourselves enables hackers to continue to be successful, Grimes concluded that “the hackers must be laughing.”
ForbesGmail Account Hacked—Here’s How To Get Human Support From GoogleBy Davey WinderDon’t Pay The Ransom, FBI And Others Warn
The FBI has previously warned that victims of ransomware should not pay the ransom demanded. Lattimer told me that a recent ransomware analysis from Semperis revealed that most ransomware attacks are not a one-time thing. “75% of organizations were attacked multiple times in the past 12 months,” Lattimer said, with more than 70% of organizations paying multiple ransoms as a result. “Paying ransoms is not advised other than in life and death situations or when a company believes it does not have another option,” Lattimer said. Paying ransoms does not guarantee a return to normal business operations, and 35% of victims who paid a ransom, according to the in-house analysis of data, either did not receive decryption keys or received corrupted keys.
FBI Denver Field Office Warns Of More Ransomware Threats
The FBI Denver Field Office has issued a warning to all users of a newly discovered scam campaign that involves the use of free online document converter tools that actually end up leading to ransomware attacks. “The best way to thwart these fraudsters is to educate people so they don’t fall victim to these fraudsters in the first place,” FBI Denver special agent in charge, Mark Michalek, said. In that interest, then, here’s what you should look out for: any website offering to offer the free conversion of one file type to another, in particular .doc files to .pdf files. While these tools will often do what they say, the file that results can contain hidden malware. Only use tools from reputable sites and services is the best advice here.
ForbesBe Careful What You Search For—New Attack Could Cost You DearlyBy Davey Winder