Skip to content
Entrepreneur: ideas, tips, and inspiration.RobustFlagForbesidentityRansomwareHangsFbi warning,fbi ransomware,fbi medusa,medusa,medusa ransomware,gmail,outlook,webmail,2fa,vpn

Immediate action advised for Gmail, Outlook, and VPN users: FBI alert issued

With the escalating threats of the Medusa Ransomware, the Federal Bureau of Investigation advises immediate action to secure webmail and VPNs by enabling two-factor authentication (2FA) as a top priority. Here's the lowdown.

 and  Administrator
4 min read

Immediate action advised for Gmail, Outlook, and VPN users: FBI alert issued

Update, March 15, 2025: Originally published Mar 13, this article has been revised based on expert advice from infosec professionals following the Medusa ransomware attacks and the urgent FBI guidance.

The bloody FBI has issued a warning about bizarre ransomware attacks, delivered somehow by the good ol' US Postal Service, and a perilous ransomware campaign from supposed Ghost attackers. Not to mention some of the most sophisticated attacks on Gmail users ever. In light of these diesel threats, the FBI has recently published an industry alert, rolling all mitigation advice into one due to ongoing Medusa ransomware attacks.

Here's the lowdown.

FBI and CISA Issue Medusa Ransomware Joint Alert

Medusa, a notorious ransomware-as-a-service (RaaS) provider, is known to have caused damage to at least 300 victims from the critical infrastructure sector since the campaign kicked off in June 2021. It's a nasty piece of work, employing social engineering and unpatched software vulnerability exploitation during attacks. FBI investigations since February have helped assemble a dossier of tactics, techniques, procedures, indicators of compromise, and detection methods associated with the Medusa threat actors.

In partnership with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the FBI has issued a joint March 12 cybersecurity advisory as Medusa ransomware attacks continue. While the full alert goes into great detail about the technicalities of the Medusa operation, here's a quick rundown of the advice offered for the everyday Joe.

Google Confirms Play Store App Deletion – How to Respond

'NYT Mini' Answers for Saturday, March 15

New Warning as Microsoft 365 Attack Can Bypass Email Security

Experts Weigh In Following FBI Medusa Ransomware Warning

Ransomware-as-a-service is still going strong. That's the word according to infosec pros. "Medusa is a daunting name for this attack, given its multi-faceted and far-reaching impacts on various industries," Tim Morris, chief security advisor at Tanium, said. Medusa, he continued, is "effective in exploitation, persistence, lateral movement, and concealment," making it "critical for organizations to manage their estates properly, know where their assets are, and ensure they have robust defense-in-depth mechanisms in place."

Jon Miller, CEO and co-founder of Halcyon, agreed, stating that "ransomware operators like Medusa focus on gaining leverage to extort organizations, making critical infrastructure entities prime targets due to their heightened motivation to maintain uninterrupted services." These groups, Miller explained, "exploit security gaps," leveraging vulnerabilities to move laterally, escalate privileges, exfiltrate sensitive data, and deploy their payloads. "Once inside a network," Miller continued, "Medusa employs sophisticated strategies to maximize impact." Specifically, the group executes base64 encrypted commands via PowerShell to avoid detection and utilizes tools like Mimikatz to extract credentials from memory, facilitating further network compromise. "They also leverage legitimate remote access software," Miller warned, "including AnyDesk and ConnectWise, as well as tools like PsExec and RDP, to propagate across the network." Designed to inflict maximum operational disruption, Medusa can terminate over 200 Windows services and processes, including those related to security software, Miller concluded.

Taking Action Against Medusa Ransomware: FBI Mitigation Advice

When it comes to immediate actions that organizations should be taking in order to mitigate the Medusa ransomware attack campaigns, the FBI has recommended the following:

  • Multi-Factor Authentication: Require two-factor authentication for all services wherever possible, but especially for webmail like Gmail, Outlook, and others, along with virtual private networks and critical system accounts.
  • Secure Passwords: Require all accounts with password logins to use long, complex passwords and consider not requiring frequent password changes, as these can weaken security.
  • Secure Data Backups: Keep multiple copies of sensitive or proprietary data and servers in a separated, secure location.
  • Stay Updated: Keep all operating systems, software, and firmware up-to-date. Prioritize patching known exploited vulnerabilities in internet-facing systems.
  • Monitor Network Activity: Identify, detect, and investigate abnormal activity and potential traversal of the Medusa ransomware with a networking monitoring tool.
  • Firewall Configuration: Monitor for unauthorized scanning and access attempts, and filter network traffic by blocking unknown or untrusted origins from accessing remote services on internal systems.
  • User Account Management: Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
  • Disable Command-Line: Disable command-line and scripting activities and permissions.
  • Disable Unused Ports: Disable unused ports.

Though the FBI and CISA have issued their advice on Medusa, some experts remain unimpressed. Take Roger Grimes, a data-driven defense evangelist at KnowBe4, who says it's business as usual for warning folks about ransomware that spreads using social engineering, only to neglect suggesting security awareness training as a primary means of defense. In Grimes' experience, social engineering accounts for 70% - 90% of all successful hacking attacks. Yet, despite the Medusa ransomware operation utilizing social engineering tactics, awareness isn't mentioned in the 15 recommended mitigations. "It's like learning that criminals are breaking into your house all the time through the windows and then recommending more locks for the doors," Grimes said. Grimes concluded, echoing a sentiment likely shared by many, that "the attackers must be laughing."

  1. The FBI, in collaboration with experts, has emphasized the importance of multi-factor authentication (2FA) for various services, including webmail like Gmail, Outlook, and others, as well as VPNs and critical system accounts, in the wake of the persistent Medusa ransomware attacks.
  2. The Medusa ransomware, a sophisticated threat actor, has been found to execute base64 encrypted commands via PowerShell and utilize tools like Mimikatz to extract credentials from memory, underscoring the need for robust defense-in-depth mechanisms, according to Tim Morris, chief security advisor at Tanium.
  3. In light of Medusa ransomware attacks, ForbesIdentity has reported that ransomware operators focus on gaining leverage to extort organizations, making them particularly dangerous to critical infrastructure entities, as stated by Jon Miller, CEO and co-founder of Halcyon.

Read also:

    Related

    Latest