Cybersecurity is more critical than ever, with email services like Gmail and Outlook becoming prime targets for cybercriminals.
On March 12, the FBI, U.S. Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory warning about the growing threat from the Medusa ransomware gang. This advisory is part of CISA’s ongoing #StopRansomware initiative, which identifies various ransomware variants, threat actors, and their tactics, techniques, and procedures.
Find out more about the advisory, the threat, and the best ways users can stay vigilant and take necessary precautions to protect their personal and professional data below.
What Did the FBI Advisory Warn About Gmail and Outlook?
According to the advisory, the Medusa ransomware gang operates as a ransomware-as-a-service (RaaS) variant, primarily targeting individuals through phishing campaigns—fraudulent emails designed to steal personal information or prompt users to click on malicious links.
What Is Medusa?
The Medusa ransomware gang was first identified in June 2021. It is unrelated to the MedusaLocker variant or the Medusa mobile malware variant, as confirmed by the FBI’s investigation.
As of February, Medusa has impacted over 300 victims across various critical infrastructure sectors, including medical, education, legal, insurance, technology, and manufacturing.
How Does Medusa Ransomware Operate?
In addition to phishing campaigns, the Medusa ransomware group exploits unpatched software vulnerabilities. Once a system is infected, the group holds the victim’s data or computer “hostage” until a ransom is paid. Both Medusa developers and affiliates—referred to as “Medusa actors” in the advisory—employ a double extortion model. This means they not only encrypt the victim’s data but also threaten to publicly release exfiltrated information if the ransom is not paid.
The ransom note demands that victims contact the attackers within 48 hours via a browser-based live chat or an end-to-end encrypted instant messaging platform. If victims fail to respond, Medusa actors may reach out directly through phone or email.
Medusa also operates a data leak site, where victims’ information is displayed alongside countdown timers leading to the release of that data. According to the advisory, ransom demands are posted on the site with direct links to Medusa-affiliated cryptocurrency wallets. The group also advertises the sale of stolen data to interested parties before the countdown expires. Victims can pay $10,000 USD in cryptocurrency to extend the countdown by one additional day.
How to Protect Yourself Against the Cybersecurity Threat
The FBI and CISA recommend several key practices to help safeguard against cyber threats. First, all accounts should use long, unique passwords, and multifactor authentication should be enabled for webmail, VPNs, and accounts that access critical systems. It is also crucial to keep all operating systems, software, and firmware up to date.
In addition, organizations should implement a recovery plan that maintains multiple copies of sensitive or proprietary data in physically separate, segmented, and secure locations, such as hard drives, storage devices, or the cloud. Network segmentation is another key measure to prevent the spread of ransomware. To detect and investigate abnormal activity, including potential ransomware movement, it’s important to utilize network monitoring tools and implement solutions that log and report all network traffic, including lateral movement.