iStockphoto
The Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a warning about a potentially costly Medusa ransomware scheme. The warning about attacks should be of special concern to Gmail, Outlook and VPN users.
In their warning, the FBI and CISA reported a ransomware-as-a-service software called Medusa has recently affected more than 300 victims across industries, including the medical, education, legal, insurance, technology and manufacturing sectors. The ransomware steals victims’ credentials using a double extortion model, the Associated Press reported. This ransomware model encrypts a victim’s data and threatens to publicly release that data if a ransom is not paid.
“Ransom demands are posted on the site, with direct hyperlinks to Medusa affiliated cryptocurrency wallets,” the advisory said. “At this stage, Medusa concurrently advertises sale of the data to interested parties before the countdown timer ends. Victims can additionally pay $10,000 USD in cryptocurrency to add a day to the countdown timer.”
Forbes reports that the FBI also issued a warning about”ransomware attack threats delivered by the United States Postal Service, “alongside a dangerous ransowmare campaign from so-called Ghost attackers, and some of the most sophisticated threats against Gmail users ever.”
To avoid being affected by Medusa ransomware, CISA offered numerous suggestions.
1. Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location.
2. Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards. In particular, require employees to use long passwords and consider not requiring frequently recurring password changes, as these can weaken security.
3. Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
4. Keep all operating systems, software, and firmware up to date.
5. Segment networks to prevent the spread of ransomware.
6. Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.
7. Require VPNs or Jump Hosts for remote access.
8. Monitor for unauthorized scanning and access attempts.
9. Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems
10. Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
11. Review domain controllers, servers, workstations, and active directories for new and/or unrecognized accounts.
12. Disable command-line and scripting activities and permissions.
13. Disable unused ports.
14. Maintain offline backups of data, and regularly maintain backup and restoration.
15. Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
Dan Lattimer, an associate vice president at cybersecurity firm Semperis, also told Forbes that the FBI’s warning about not paying the ransom if attacked, is solid advice.
“75% of organizations were attacked multiple times in the past 12 months,” Lattimer said, meaning most of those companies either ended up paying multiple ransoms or not receiving correct decryption keys. “Paying ransoms is not advised other than in life and death situations or when a company believes it does not have another option.”
Content shared from brobible.com.