Multiple U.S. federal agencies have issued a joint advisory warning about Medusa, a ransomware-as-a-service (RaaS) cyber threat that was first identified in June 2021.
RaaS is a business model in which ransomware tools are sold by developers to third parties who then launch attacks on targets.
Industries targeted by Medusa include technology, medical, insurance, manufacturing, legal, and education.
The advisory said Medusa actors—developers and affiliates who use the service—deploy a “double extortion model, where victims must pay to decrypt files and prevent further release” of the stolen data.
“The ransom note demands victims make contact within 48 hours via either a Tor browser-based live chat or via Tox, an end-to-end encrypted instant-messaging platform.”
“If the victim does not respond to the ransom note, Medusa actors will reach out to them directly by phone or email,” the agencies said.
The joint advisory was issued by CISA, the FBI, and the Multi-State Information Sharing and Analysis Center to disseminate known tactics, procedures, and other useful information related to Medusa.
Medusa runs a data leak website that reports about their victims and the time left for them to pay the ransom, together with links to crypto wallets.
While the countdown is ongoing, Medusa also advertises the stolen data for sale to anyone who wishes to purchase it. To extend the countdown by a single day, victims typically have to pay $10,000 in cryptocurrencies.
“FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid.” This actor then “requested half of the payment be made again to provide the ‘true decryptor’—potentially indicating a triple extortion scheme,” said the advisory.
To safeguard themselves from Medusa, organizations should mitigate known vulnerabilities in their systems, the agencies advised. This includes patching up firmware, software, and operating systems.
All accounts in the network that have password logins must be obligated to comply with National Institute of Standards and Technology standards.
“In particular, require employees to use long passwords and consider not requiring frequently recurring password changes, as these can weaken security,” the agencies advised.
Most of the group’s victims are from the United States, Canada, France, the United Kingdom, Australia, and Italy.
There is no proof of Medusa being an offshoot or a rebrand of a previous group. Medusa appears to run independently, operating with their own infrastructure, Barracuda said.
Threat actors use publicly available code to exploit “common vulnerabilities and exposures” of targets to gain access to their servers. Their targets include critical infrastructure, government networks, health care, and technology companies.