Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
The Medusa ransomware operation has been turning critical infrastructure operations to stone, having impacted over 300 since its first appearance in 2021.
Infamous ransomware operation Medusa has reportedly launched cyber attacks on over 300 critical infrastructure entities, according to new findings.
According to a joint advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Multi-State Information Sharing and Analysis Centre (MS-ISAC), the ransomware-as-a-service (RaaS) organisation has been targeting entities “from a variety of critical infrastructure sectors with affected industries, including medical, education, legal, insurance, technology, and manufacturing”.
Medusa first appeared in January 2021 and was originally a closed ransomware variant, but saw rapid growth with the release of its Medusa Blog leak site in 2023, which saw it become a RaaS operation as it used it to pressure victim organisations into paying ransom.
“Medusa developers typically recruit initial access brokers (IABs) in cyber criminal forums and marketplaces to obtain initial access [TA0001] to potential victims,” added CISA.
“Potential payments between US$100 and US$1 million are offered to these affiliates with the opportunity to work exclusively for Medusa.”
The group is also known for using living-off-the-land (LOTL) techniques and legitimate tools to prevent detection.
In the four years since it first emerged, the group has listed over 400 victims, including Australian and international critical infrastructure organisations.
In June last year, Medusa claimed a cyber attack on Australian fuel distributor North Coast Petroleum, allegedly having exfiltrated 71.5 gigabytes of data, including invoices, driver’s licence scans, passport details, and creditor bank account details.
A month later, the Harry Perkins Institute of Medical Research confirmed a “cyber incident” as the Medusa ransomware gang claimed to have exfiltrated 4 terabytes of data.
It is also worth noting that Medusa ransomware is a different malware variant from the MedusaLocker and Medusa mobile variants.
The advisory recommends that users ensure operating systems, software and firmware are patched quickly by mitigating known vulnerabilities, blocking access to internal systems and remote servers and more by filtering traffic and blocking suspicious sources, and preventing lateral movement by threat actors between infected devices by segmenting networks.
Be the first to hear the latest developments in the cyber industry.
