FBI Warns of “Medusa” Malware Threat to Outlook and Gmail Users

The FBI has issued a warning aimed at users of widely used email services, such as Outlook and Gmail, about the growing threat of cyberattacks perpetrated by the Medusa ransomware (a type of malware that holds data and devices hostage until a ransom is paid).

This malware (malicious software that can damage or alter the operation of a device), which has affected more than 300 victims in sectors as diverse as technology, legal, medical and manufacturing, represents a significant risk due to its operating model and its ability to extort money from those who fall into its networks.

The security alert was issued on March 12 in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), after detecting recent Medusa activity last month, although the ransomware was first identified in June.

According to the agencies' joint advisory, the Medusa perpetrators, referred to as "Medusa actors," include both the ransomware developers and their affiliates, who operate under a scheme known as ransomware as a service. This model is based on a double extortion strategy: first, they encrypt the victims' data, rendering it inaccessible, and then threaten to publish the stolen information in case the demanded ransom is not paid.

This approach intensifies the pressure on victims, as they not only lose access to their systems, but also face the possibility of sensitive data being publicly exposed.

Developers of Medusa recruit specialized middlemen, known as initial access brokers, through marketplaces and forums on the dark web frequented by cybercriminals. These collaborators receive payments ranging from $100,000 to $1 million, with the additional offer of working exclusively for a hacker organization, demonstrating the level of professionalism behind these operations.

How do they get into the operating system?

To infiltrate systems, brokers employ common but effective tactics, such as sending phishing emails designed to trick users and exploiting vulnerabilities in software that has not been updated, a reminder of the importance of keeping systems up to date.

The ransom notes left by Medusa are clear in their demands: victims must establish contact with the attackers within 48 hours, using a live chat accessible through the Tor browser (which guarantees the anonymity of the criminals) or the encrypted messaging platform Tox, known for its end-to-end security.

If victims do not respond within that time, Medusa actors do not hesitate to escalate their strategy, contacting them directly by phone or email to press for payment.

According to the FBI, one victim was extorted three times. After making a first payment, another Medusa actor contacted her, claiming that the main hacker had stolen the ransom money and demanding a new payment.

Protection suggestions

In the face of this threat, the FBI, CISA and MS-ISAC have provided a number of practical recommendations for users and organizations to protect themselves.

Among the suggested measures are the use of strong passwords, preferably long and updated frequently, along with the implementation of multifactor authentication, which adds an additional layer of security by requiring more than one method of verification.

In addition, the agencies emphasize the importance of backing up sensitive data, whether on external hard drives, cloud services or dedicated storage devices. These copies should be kept disconnected from the network and, where possible, encrypted, to ensure that they can be used to restore systems without relying on attackers.

Keeping operating systems and software up to date is also key to closing loopholes that hackers could exploit.

Ryan Kalember, chief strategy officer at security firm Proofpoint, provided advice on how to react to a phishing attack. Speaking to The Washington Post, he noted that "that is often the first reaction, and it is not ideal," referring to the tendency of users to ignore the problem after opening suspicious links or attachments.

"When you fall for something, the attacker still has some window of time where they have to figure out what they've just got and whether it's even worth taking advantage of."

For users of Outlook, Gmail and other services, adopting these preventative measures is not only a recommendation, but an urgent necessity.