The FBI will issue mitigation advice as Medusa ransomware attacks continue.
Getty Images
Updated, March 16, 2025: This story was updated with further expert comments from cybersecurity experts following another FBI cybersecurity warning originally published on March 13th, as well as an alert about an ongoing Medusa ransomware attack and the resulting emergency mitigation advice.
The Federal Bureau of Investigation recently warned of the odd ransomware attack threats offered by the US Postal Service, along with some of the most sophisticated threats from so-called ghost attacks, as well as some of the most sophisticated threats to Gmail users that have never been more common. Previously, by advising users to mitigate such attacks using two-factor authentication, the newly released FBI industry alerts have put together mitigation advice into one as the continued attacks from Medusa ransomware gangs continue. The FBI is warning you that you enable 2FA for webmail services such as Gmail and Outlook, as well as VPNs. And now enable it. This is what you need to know.
FBI and CISA will issue joint alerts for the Medusa ransomware industry
Since the campaign was first observed in June 2021, ransomware as a service provider as a highly dangerous ransomware, Medusa is known to have affected at least 300 victims from critical infrastructure sectors, and is known to employ social engineering and exploiting vulnerabilities in unearned software during attacks. The FBI investigation recently began in February when intelligence agencies were able to gather documents on tactics, techniques, procedures, compromise metrics, and detection methods related to threat actors.
In collaboration with US cybersecurity and infrastructure security agencies, the FBI issued a March 12 joint cybersecurity advisory on the background of attacks by the Medusa ransomware group. A complete FBI alert, the AA25-071A takes on a great deal of depth in Medusa Operation technology. So it’s important that all cyber defenders read this. However, for the purposes of this article, we will focus on attack mitigation advice provided by the FBI.
Expert insight following FBI warnings about Medusa ransomware campaign
The ransomware service is lively. That’s the takeaway from the FBI warning. “Medusa is the right name for this attack given its multifaceted and widespread impact on a variety of industries,” said Tim Morris, Tanium’s Chief Security Advisor. Medusa was mature and effective in exploitation, persistence, lateral movement, and concealment, and Morris continued. This makes it important for organizations to properly manage their property, know where their assets are and ensure robust defence mechanisms.”
“Ransomware operators like Medusa are focusing on gaining leverage to force organizations by Jon Miller, CEO and co-founder of Halcyon, who will leverage security gaps to move sideways, escalate privileges, remove sensitive data, and eventually deploy payloads. “When they enter the network, Miller continues, saying, ‘Medusa adopts a sophisticated strategy to maximize impact.’ Specifically, the group executes Base64 encrypted commands via PowerShell to avoid detection, and extracts credentials from memory using tools such as Mimikatz to facilitate further network compromise. “They also utilize legal remote access software,” warned Miller. “It propagates across the network, including tools like AnyDesk, ConnectWise, PSEXEC and RDP.” Medusa is designed to cause maximum operational disruption and can terminate over 200 Windows services and processes, including those related to security software, Miller continued.
Medusa’s encryption process, combined with RSA’s public key encryption, employs AES-256 encryption to securely encrypt files. “To prevent data repair efforts, Medusa has implemented measures such as deleting volume shadow copies, disabling startup recovery options, and deleting local backups,” added Miller. To combat threats such as Medusa, Miller advised that critical infrastructure organizations need to bolster their defenses to withstand ransomware attacks without relying on ransom payments or just backups. “To disrupt the ransomware industry’s financial model, eliminating payment incentives is important,” concluded Miller.
Medusa Mitigation — FBI says it will enable 2FA for webmail and VPN now
As is the case now, the FBI recommends:
Two-factor authentication is required for all services where possible, but Webmail, such as Gmail and Outlook, in particular, requires an account that can access virtual private networks and critical systems. Consider not requiring frequent and repeated password changes as long passwords are required to use all accounts with password logins and can weaken security. Keep sensitive or proprietary data and multiple copies of your server in a physically isolated, segmented, secure location. Keep all your operating systems, software and firmware up to date. Prioritize known exploited vulnerabilities in Internet-facing systems. Identify, detect and investigate abnormal activity and potential crossings of the indicated ransomware using networking monitoring tools. Monitor for unauthorized scans and access attempts. Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems. Audit user accounts with administrative rights and configure access controls according to the principle of least privilege. Disables command line and script activity and permissions. Disables unused ports.
Meanwhile, Dan Lattimer, Associate Vice President of Semperis, reminded us that FBI advisory should serve as another memory jogger for the fact that Medusa ransomware is extremely persistent and can affect hundreds, if not thousands of organizations. “The defenders are fully committed to the existence of Medusa,” Latimer said, “recommendations for mitigation, including software patch deployment, network segmentation, and blocking access to services from unknown or unreliable sources will help organizations improve operational resilience.” Adopting the expected location of violations may be something like a worn record to date, but they argued that businesses operating under the assumption that their systems have been compromised should not be overlooked as they change their focus from prevention of the violation to rapid recovery and recovery. “And, most of the time, identity systems, which are Active Directory, target 90% of ransomware attacks,” Latimer continued. Active Directory controls authentication and authorization for applications and data, effectively retaining the key to the kingdom. “If an attacker accesses Active Directory, Lattimer warned that “it has control over all the resources within your organization.”
FBI warnings are not progressing well
Not everyone is satisfied with the advice given by the FBI and CISA regarding the threat of the Medusa ransomware group. Taking Knowbe4’s data-driven defense evangelical, Roger Grimes, he said he has continued the long tradition of warning people about ransomware spreading using social engineering. Grimes said in the Knowbe4 experience that social engineering is involved in 70% to 90% of all successful hacking attacks. However, despite official warnings stating that social engineering is one of the main ways to distribute ransomware threats, 15 recommended mitigations have not mentioned recognition. “It’s like learning that criminals are constantly breaking into your home through the windows and then recommending more locks to the door,” Grimes said. Warning that such a continuous inconsistency between the way that threat actors are most frequently attacked by malware programs and how they are told to protect themselves will allow hackers to continue to succeed, Grimes concluded that “hackers must laugh.”
Do not pay ransom, FBI, etc.
The FBI has previously warned that ransomware victims should not pay ransom requests. Lattimer told me that a recent ransomware analysis from Semperis revealed that most ransomware attacks were not at once. “In the last 12 months, 75% of the organization have been attacked multiple times,” Latimer said. “There is no advice on paying ransoms other than life and death circumstances, or if the company believes there is no other option,” Latimer said. Paying the ransom does not guarantee a return to normal business operations, and according to an internal analysis of the data, 35% of victims who paid the ransom have not received their decryption key or have received a corrupted key.
FBI Denverfield Office warns about more ransomware threats
になったんです。 English: The first thing you can do is to find the best one to do.
The FBI Denver Field Office has issued warnings to all users of newly discovered fraud campaigns, including the use of free online document converter tools that actually lead to ransomware attacks. “The best way to stop these con artists is to educate people, so that they don’t fall victim to these con artists in the first place,” so you need to be careful: Websites that provide free conversions of one file type to another, especially .doc files to .pdf files. These tools often do what they say, but the resulting files contain hidden malware. Here is the best advice to use only tools from reputable sites and services.
