Medusa ransomware threat continues to challenge firms

The ongoing threat posed by Medusa ransomware remains a significant concern for global organisations, as highlighted in a recent advisory by the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).

Dan Lattimer, Assistant Vice President EMEA West at Semperis, commented on the persistence of Medusa ransomware.

"The recent CISA / FBI advisory is a reminder of the persistence of Medusa ransomware and the overall scourge impacting hundreds of global organisations."

"Defenders have their hands full tackling the presence of Medusa and the mitigation recommendations that include deploying software patches, network segmentation and blocking access to services from unknown or untrusted sources will help organisations improve their operational resilience," he stated.

Emphasising a strategic shift in mindset, Lattimer suggests that organisations should consider adopting an "assumed breach" perspective. This approach, he explained, requires a focus on rapid detection and response rather than solely concentrating on breach prevention.

"In addition, organisations should adopt an 'assumed breach' mindset because companies operating under the assumption that their systems have been or will be compromised shifts the focus from preventing breaches to detecting, responding and recovering quickly," Lattimer advised.

The vulnerability of identity systems, particularly Active Directory, in ransomware attacks was another key point raised. "Identity systems, most often Active Directory, are targeted in 90 percent of ransomware attacks. Active Directory controls authentication and authorisation to applications and data, effectively holding the 'keys to the kingdom.' If attackers gain access to Active Directory, they can control any resources within an organisation," Lattimer explained, underlining the critical nature of securing these systems.

The Semperis global ransomware report, which surveyed 1,000 organisations, provides further insight into the persistent threat. "In a recently published Semperis global ransomware report of 1,000 organisations, we learned that ransomware attacks are not a one-time threat."

"In fact, 75 % of organisations were attacked multiple times in the past 12 months. And more than 70 % of organisations paid ransoms multiple times," Lattimer noted.

He highlighted the ineffectiveness of paying ransoms, citing that it often does not secure a return to normalcy. "Paying ransoms is not advised other than in life and death situations or when a company believes it does not have another option. Paying ransoms does not guarantee a return to normal business operations as 35 % of victims who paid ransom either did not receive decryption keys or received corrupted keys," he said.

Lattimer also stressed the importance of maintaining data backups, noting a shift in attack strategies where threat actors encrypt backups as a means to expedite ransom dealings.

"In addition, companies backup all data, including their identity systems as more and more threat actors are encrypting backups realising it is a faster means to securing ransom payments from victims," he mentioned.

To combat these threats, establishing solid procedures for cyberattack detection and recovery is vital.

"And it is critical to establish procedures for detecting, responding to, and recovering from cyberattacks, with real-time visibility into changes in elevated network accounts and groups," Lattimer asserted.

He concluded by advising organisations to identify and prioritise critical systems and develop an effective response plan in case of attacks.

"Organisations should assess what their critical systems are because when these services are inoperable or exposed because of vulnerabilities, that could open floodgates for hackers. And have a plan for 'what to do if' that includes a robust backup and recovery plan," advised Lattimer.