US authorities are sounding the alarm about a wave of cyberattacks orchestrated by Medusa, a formidable ransomware. In a joint statement, the Cybersecurity and Infrastructure Security Agency (CISA), the United States Cybersecurity and Infrastructure Security Agency, and the Federal Bureau of Investigation (FBI), indicate that Medusa affected "more than 300 victims from various critical infrastructure sectors" last month. Targeted sectors include medicine, education, law, insurance, technology, and construction.
A wave of attacks by Medusa
Emerging in January 2021, the Medusa gang profits from a ransomware of the same name, offered by subscription to all cybercriminals. For a fee, hackers can use the virus to orchestrate attacks and extort money from companies. However, Medusa's developers are still responsible for negotiations with targets. Since its emergence, the group has claimed hundreds of victims worldwide, including Toyota Financial Services, a subsidiary of Toyota.
Using its affiliates, considered simple brokers, the gang has increased its attacks in recent years. Symantec researchers report having observed a 42% increase between 2023 and 2024. Symantec specifies that the increase "continues to intensify, with almost twice as many Medusa-related attacks observed in January and February 2025 as in the first two months of 2024."
Double extortion and manipulation
To carry out its attacks, Medusa uses unpatched vulnerabilities and various social engineering tactics. In short, the hackers manipulate their target into installing a virus on their computer. Once the malware has entered the system, Medusa will do everything it can to exfiltrate sensitive data. The hackers are primarily targeting credentials, such as passwords.
Like most ransomware hackers, the gang practices double extortion. They don't just encrypt data and disappear. They first steal all the files and threaten to publish them on the internet to increase the pressure on the target. At the same time, Medusa does everything it can to disrupt all activities of an infrastructure. The ransomware is capable of paralyzing more than 200 Windows services and processes, simply to gain an advantage in negotiations with the company, Jon Miller, CEO and co-founder of Halcyon, tells Forbes.
FBI warns Outlook and Gmail users
In this context, the FBI recommends that all organizations take action. Federal agents specify that popular email services like Microsoft Outlook and Gmail are particularly affected by Medusa attacks. This is also the case for VPN users, who remain the preferred gateway for ransomware.
The FBI advises all Internet users to enable two-factor authentication without delay. This security mechanism should put a spanner in the works for cybercriminals. Furthermore, it is essential to ensure that all software installed on your computer is up to date. Regular updates will also prevent hackers from achieving their goals. Unsurprisingly, the FBI urges users to choose complex passwords that are difficult to guess.
For expert Roger Grimes of KnowBe4, the FBI's recommendations are not enough. According to him, the "primary means of defeating" hackers remains "security awareness training". It is imperative to teach users to identify all the traps. Without proper training, they risk succumbing to cybercriminals' social engineering tactics. These tactics, aimed at tricking the target into installing a virus or opening a booby-trapped file, are present in 70% to 90% of attacks. In these circumstances, the FBI's warning amounts to recommending "more locks on doors" when "criminals are breaking into your home through windows all the time," says Roger Grimes.
Source: CISA
0 Comments