Full Report
An advisory from the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) on Wednesday said the group and its affiliates have attacked organizations in the medical, education, legal, insurance, technology and manufacturing industries.
Analysis Summary
# Incident Report: Medusa Ransomware Campaign Against Critical Infrastructure
## Executive Summary
The Medusa Ransomware-as-a-Service (RaaS) group, active since June 2021, has targeted over 300 organizations globally across critical sectors including medical, education, and government, utilizing phishing and known vulnerabilities for initial access. The group employs a three-pronged extortion approach, sometimes escalating to double or triple extortion scenarios, resulting in significant data exfiltration and operational disruption across affected entities. Response efforts involved engaging with the group via ransom negotiations, though concerning reports suggest further extortion attempts even after payment.
## Incident Details
- **Discovery Date:** Ongoing, as detailed in the joint advisory issued "on Wednesday" (timing relative to the report creation).
- **Incident Date:** Active since June 2021.
- **Affected Organization:** Over 300 victims reported, spanning medical, education, legal, insurance, technology, and manufacturing industries. Specific victims mentioned include Minneapolis Public Schools, the nation of Tonga, municipalities in France, government agencies in the Philippines, and government bodies in Illinois and Texas.
- **Sector:** Critical Infrastructure (Medical, Education, Government/Municipalities, Technology, Manufacturing).
- **Geography:** Global (US, Tonga, France, Philippines, Canada mentioned).
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing since June 2021.
- **Vector:** Phishing campaigns and exploitation of unpatched vulnerabilities.
- **Details:** Affiliates are specifically observed exploiting **CVE-2024-1709** (ScreenConnect vulnerability) and **CVE-2023-48788** (Fortinet product vulnerability). Initial Access Brokers (IABs) are recruited via cybercriminal forums to gain entry.
### Lateral Movement
- **Details:** Not explicitly detailed, but implied as part of the standard ransomware operational progression following initial access.
### Data Exfiltration/Impact
- **Details:** Data exfiltration occurs, with the gang maintaining a public leak site advertising stolen data. Minneapolis Public Schools attack exposed sensitive student documents impacting over 100,000 people. Extortion attempts involve demanding payment for decryption and potentially threats to leak data.
### Detection & Response
- **Details:** Detection often occurs when victims receive the ransom note, which demands contact within 48 hours, followed by phone/email contact if no response is received. Victims engage in negotiation, sometimes resulting in further extortion attempts ("triple extortion"). Response actions were primarily focused on negotiation and potential remediation efforts post-attack.
## Attack Methodology
- **Initial Access:** Phishing, Exploitation of **CVE-2024-1709** (ScreenConnect), Exploitation of **CVE-2023-48788** (Fortinet).
- **Persistence:** Implied, but not explicitly detailed.
- **Privilege Escalation:** Not explicitly detailed, but standard for ransomware progression.
- **Defense Evasion:** Not explicitly detailed.
- **Credential Access:** Not explicitly detailed.
- **Discovery:** Not explicitly detailed.
- **Lateral Movement:** Not explicitly detailed.
- **Collection:** Data gathering for extortion purposes.
- **Exfiltration:** Stolen data is advertised on the threat actor's leak site.
- **Impact:** Encryption/disruption and data extortion (potentially triple extortion).
## Impact Assessment
- **Financial:** Ransom demands range from $100 USD to $1 million USD for affiliates, implying potentially massive demands for victim organizations. One victim was solicited for a second payment after the initial ransom was paid to a negotiator who allegedly stole the funds.
- **Data Breach:** Sensitive student documents (Minneapolis Public Schools), government data, and organizational records across numerous sectors.
- **Operational:** Significant disruption implied across targeted critical infrastructure.
- **Reputational:** Public exposure via leak sites and media reporting following major attacks on public entities (e.g., schools, municipalities).
## Indicators of Compromise
*Due to the nature of RaaS, specific IoCs are typically specific to the affiliate/deployment, but common vectors are listed below.*
- **Network indicators:** Exploitation traffic targeting ScreenConnect and Fortinet remote access tools.
- **File indicators:** Ransom note deployment (specific file names not provided).
- **Behavioral indicators:** Contact originating from Medusa actors via email/phone regarding ransom payment or secondary demands.
## Response Actions
- **Containment:** Not explicitly detailed; implied negotiation phase.
- **Eradication:** Not explicitly detailed.
- **Recovery:** Decryption (if paid), or system restoration. Noteworthy: One victim experienced a failure in trust suggesting negotiation alone was insufficient ("claimed the negotiator had stolen the ransom").
## Lessons Learned
- **Key Takeaways:** Medusa RaaS successfully leverages IABs for initial access and exploits publicly known, high-impact vulnerabilities (**CVE-2024-1709, CVE-2023-48788**).
- **What could have been done better:** The complexity of negotiations is high, indicated by potential instances of actors stealing paid ransoms, suggesting a lack of central control over affiliates or a deliberate extortion tactic ("triple extortion"). Failure to patch known vulnerabilities rapidly remains a primary enabler.
## Recommendations
- **Prevention measures for similar incidents:**
1. Immediately patch known vulnerabilities, prioritizing remote access solutions like ConnectWise ScreenConnect and Fortinet products.
2. Implement robust network monitoring to detect unusual activity indicative of lateral movement following initial access via remote access tools.
3. Enhance third-party vetting and monitoring, as IABs are a key initial vector.
4. Develop comprehensive incident response plans that account for potential multi-stage extortion tactics involving multiple threat actor touchpoints post-initial negotiation.