FBI Issues 'Medusa' Alert As Hackers Target Critical Infrastructure, Extort Victims for Cash

FBI Issues 'Medusa' Alert As Hackers Target Critical Infrastructure, Extort Victims for Cash

The Federal Bureau of Investigation (FBI) is sounding the alarm on an ongoing ransomware campaign known as "Medusa" that has left hundreds of victims in its wake. This type of malicious software was first discovered in 2021 and has been wreaking havoc on critical infrastructure sectors, leaving a trail of significant breaches in its wake.

According to experts, Medusa is a type of ransomware-as-a-service (RaaS) variant that encrypts its victims' files before demanding a ransom in exchange for a decryption key. The attackers typically gain initial access through deceptive phishing emails designed to steal credentials or by exploiting unpatched software vulnerabilities.

The scope of the problem is significant, with over 300 victims from various critical infrastructure sectors affected, including medical, education, legal, insurance, technology, and manufacturing. Notable targets include the Minneapolis Public Schools district, which saw 92 GB of sensitive student data leaked after refusing to pay a $1 million ransom. Other victims have included cancer centers, British high schools, and government entities in places like Tonga, France, and the Philippines.

Both the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) are issuing advisory notices on the spread of Medusa. In a statement to Newsweek, CISA said that in one particular case, after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the "true decryptor" in what the agency describes as a potential "triple extortion scheme."

Google spokesperson Ross Richendrfer emphasized the importance of acting quickly for victims, preferably within Google's one-week grace period following any recovery phone number change that allows the user to regain control of the account. He recommended that Google users already have a recovery phone number and email attached to their account. "These can be used in cases where users forget their own passwords or if an attacker changes the credentials after hijacking the account… When you change your recovery email, you may be able to choose to get sign-in codes sent to your previous recovery email for one week."

As the situation continues to unfold, it is essential for individuals and organizations to take proactive measures to protect themselves from such threats. By staying informed and taking necessary precautions, they can minimize their risk of becoming a victim of Medusa or similar ransomware campaigns.