The Cybersecurity and Infrastructure Security Agency —in partnership with the Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC)— has released joint Cybersecurity Advisory, #StopRansomware: Medusa Ransomware. This advisory provides tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and detection methods associated with known Medusa ransomware activity.
Medusa is a ransomware-as-a-service variant first identified in June 2021, and has been used to conduct ransomware attacks. As of December 2024, over 300 victims from critical infrastructure sectors have been impacted, including medical, education, legal, insurance, technology and manufacturing. Medusa actors use common techniques like phishing campaigns and exploiting unpatched software vulnerabilities. The Medusa ransomware variant is unrelated to the MedusaLocker variant the Medusa mobile malware variant, per the FBI’s investigation.
According to CISA, immediate actions organizations can take to mitigate Medusa ransomware activity include:
- Ensure operating systems, software, and firmware are patched and up to date.
- Segment networks to restrict lateral movement.
- Filter network traffic by preventing unknown or untrusted origins from accessing remote services.
Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors. While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers. Both Medusa developers and affiliates employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.
Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain initial access to potential victims. Potential payments between $100 and $1 million are offered to these affiliates with the opportunity to work exclusively for Medusa. Medusa IABs (affiliates) are known to make use of common techniques, such as phishing campaigns and exploiting unpatched software vulnerabilities. Medusa actors also use living off the land (LOTL) and legitimate tools Advanced IP Scanner and SoftPerfect Network Scanner for initial user, system and network enumeration.
Roger Grimes, a defense evangelist at cybersecurity solutions provider KnowBe4, offered the following comments in response to the advisory:“This continues CISA’s long tradition of warning people about ransomware that spreads using social engineering that then does not suggest security awareness training as a primary way to defeat it. I’ll never understand it.
“Social engineering is involved in 70 percent – 90 percent of all successful hacking attacks. CISA notes that one of the two main ways this ransomware variant spreads is through social engineering, and then in its three top-level recommendations and 15 recommended mitigations, it does not recommend end-user education to prevent them from being tricked into revealing logon credentials or executing the malware.
“It’s like learning that criminals are breaking into your house all the time through the windows and then recommending more locks for the doors. It does a huge disservice. It is this continued misalignment between the ways we are most often attacked by hackers and their malware programs and how we are told to defend ourselves that allows hackers to be so long-term successful.”