Beware the Ides of March… or in this case, suspicious emails if you’re one of the 1.8 billion Gmail accounts at risk from the Medusa ransomware accounts.
The Medusa ransomware gang has been active since 2021 but recently gained attention due to a 42% increase in activity year-over-year in 2024. This surge has been accompanied by a series of successful attacks impacting over 300 organizations across critical infrastructure sectors, including healthcare, manufacturing, education, legal, and technology.
Like most ransomware attacks, Medusa targets organizations primarily through phishing campaigns or exploiting unpatched software vulnerabilities. Once a system is compromised, victims face a double extortion scheme. This means attackers demand a ransom — in this case, reportedly ranging from $100 to $1 million — to restore access to encrypted data and prevent the sale or leaking of sensitive information unless an additional payment is made.
Mitigating the Medusa Ransomware Threat
CISA has posted immediate steps organizations can take to mitigate cyber threats related to the Medusa ransomware attacks:
- Mitigate known vulnerabilities by ensuring operating systems, software, and firmware are patched and up to date within a risk-informed span of time.
- Segment networks to restrict lateral movement from initially infected devices and other devices in the same organization.
- Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems.
In addition, CISA offered a comprehensive list of mitigation recommendations designed to reduce the likelihood and impact of Medusa and similar ransomware attacks, including:
- Ensure all backup data is encrypted, immutable (i.e., cannot be altered or deleted), and covers the entire organization’s data infrastructure.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location.
- Maintain offline backups of data, and regularly maintain backup and restoration.
- Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to comply with NIST’s standards.
- Require multifactor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
For more information on identifying, mitigating, and protecting against the Medusa ransomware attack, please visit the CISA Medusa Ransomware advisory page.
How Can Schneider Downs Help?
If you have specific concerns about the Medusa ransomware attack or want to discuss how to keep your organization prepared against cyber threats, contact our Cybersecurity Consulting team at [email protected].
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. In addition, our Digital Forensics and Incident Response teams are available 24x7x365 at 1-800-993-8937 if you suspect or are experiencing a network incident of any kind.
To learn more, visit our dedicated Cybersecurity page.
Want to be in the know? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity.
