The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency are warning healthcare organizations and others that Medusa ransomware affiliates seek to exploit unpatched software and other common vulnerabilities and exposures.
WHY IT MATTERS
The joint advisory, issued with the Multi-State Information Sharing and Analysis Center, describes known Medusa ransomware tactics, techniques and procedures, and indicators of compromise identified through FBI investigations as recently as February.
The variant – which is unrelated to the MedusaLocker variant and the Medusa mobile malware variant, according to the FBI – has compromised more than 300 victims from a variety of critical infrastructure sectors, including a state health insurer, since 2021.
Medusa developers recruit in cybercriminal forums and marketplaces to obtain initial access to potential victims and offer payments between $100 and $1 million with the opportunity to work exclusively for Medusa.
The affiliates use living off the land techniques and legitimate tools – such as Advanced IP Scanner and SoftPerfect Network Scanner – to establish their presence and avoid detection.
"The ransom note demands victims make contact within 48 hours via either a Tor browser-based live chat, or via Tox, an end-to-end encrypted instant-messaging platform," the agencies said. "If the victim does not respond to the ransom note, Medusa actors will reach out to them directly by phone or email."
The agencies suggest mitigating known vulnerabilities by ensuring operating systems, software and firmware are patched and up to date, segmenting networks to restrict lateral movement and filtering network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems.
THE LARGER TREND
Investigators found that Medusa uses phishing campaigns as a primary method for stealing victim credentials and may employ vulnerabilities in software like ConnectWise ScreenConnect, which was used in the Change Healthcare cyberattack last year.
Rural hospitals may be particularly susceptible as they have limited resources and capacity to address key cybersecurity measures, which could create an ideal opportunity for cyber exploitation, Microsoft said in its rural hospital cybersecurity landscape report released earlier this month.
ON THE RECORD
"Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors," the FBI, CISA and MS-ISAC said in the advisory. "While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers."
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.