Federal cybersecurity agencies and the FBI are warning against a dangerous ransomware scheme that has affected hundreds of people. The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint cybersecurity advisory to share information about Medusa ransomware. The advisory is part of CISA's ongoing #StopRansomware initiative, which flags ransomware variants and threat actors, as well as their tactics, techniques, and procedures, USA Today reports. Medusa is a ransomware-as-a-service provider first identified in June 2021. As of February, Medusa has affected over 300 victims from multiple critical infrastructure sectors and industries, including medical, education, legal, insurance, technology, and manufacturing. Originally, Medusa operated as a closed ransomware variant where all development and associated operations were controlled by the same group of cyber threat actors. It has shifted toward an affiliate model, where developers and affiliates — called "Medusa actors" — use a double extortion model "where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid," according to the advisory.

The ransom note demands victims make contact within 48 hours through a browser-based live chat or an end-to-end encrypted instant messaging platform. Victims can also be contacted directly by Medusa actors via phone or email if they do not respond to the ransom note. Medusa also operates a data leak site, which shows victims alongside countdowns to the release of information. "Ransom demands are posted on the site, with direct hyperlinks to Medusa-affiliated cryptocurrency wallets," the advisory stated. "At this stage, Medusa concurrently advertises sale of the data to interested parties before the countdown timer ends. Victims can additionally pay $10,000 in cryptocurrency to add a day to the countdown timer." The FBI, CISA, and MS-ISAC recommended some actions organizations should take immediately to protect against Medusa ransomware threats: Require VPNs or Jump Hosts for remote access, monitor for unauthorized scanning and access attempts. Require employees to use long passwords and consider not requiring frequently recurring password changes, which can weaken security. Require multi-factor authentication for all services, especially for Gmail and email, virtual private networks, and accounts that access critical systems.