Fraud Management & Cybercrime
,
Ransomware
FBI Ties Group to Triple-Extortion Tactics Involving Follow-On Ransom Demands
Ransomware groups are pushing the frontier of shakedown tactics through a triple extortion scam meant to coerce victims into paying for a decryptor twice over, the U.S. federal government warned Wednesday.
See Also: Live Webinar | Thrive in Chaos: How to Get Your Minimum Viable Company Back Online
The Russian-speaking operators behind the Medusa operation are the subject of this particular warning. The Cybersecurity and Infrastructure Security Agency, the FBI and the Multi-State Information Sharing and Analysis Center say the group has been tied to attacks against more than 300 organizations across critical infrastructure sectors, including healthcare, education, technology, manufacturing, legal services and insurance.
Most ransomware groups practice double extortion by maliciously encrypting files and additionally threatening to disclose compromised data if victims refuse to pay. Medusa, which debuted in mid-2021, added a third twist to coercion tactics by claiming that the Medusa negotiator absconded with the victim’s money, requesting a new payment of half the ransom in order to provide the “true decryptor.”
Medusa has claimed a swath of new victims in recent weeks, including Bell Ambulance in Wisconsin, British book printer CPI Books, phone-training firm Customer Management Systems, Nebraska’s Heartland Health Center, and Colorado’s third largest city, Aurora. Whether those entities actually fell victim to the group and the extent to which they might have been disrupted remain open questions. Another organization that the group recently claimed as a victim, South Carolina’s Laurens School District 56, did confirm a security breach.
In January, Medusa ranked ninth on a monthly list of groups tied to the most known attack victims, said cybersecurity firm NCC Group. In 2024, 9% of known ransomware attacks were tied to the group, reported cybersecurity firm BlackFog.
“With a flair for the dramatic, Medusa is known for its aggressive negotiation style and attempts to embarrass victims that don’t pay ransoms,” says consultancy S-RM in a recent report. “The group was increasingly prolific last year, suggesting it may also be benefiting from the takedowns of other groups.”
Medusa is a relatively long-lasting – at least under its own name – operation that launched as a closed business, researchers said. The tightly controlled group not only developed its own crypto-locking malware but reserved it solely for its own use.
Subsequently, the group embraced a ransomware-as-a-service model, in which an operator provides multiple services, including supplying crypto-locking malware and oftentimes hosting a data leak site and handling negotiations. Medusa recruits initial access brokers in cybercrime forums and marketplaces. Affiliates, or business partners, take the malware and get a cut that typically runs to 70% to 80% of every ransom a victim pays.
Like many other groups, after Medusa’s ransomware forcibly encrypts large parts of an infected system, it displays a 48-hour countdown timer to try and rush victims into paying. After an attack, “ransom demands are posted on the site, with direct hyperlinks to Medusa-affiliated cryptocurrency wallets,” the alert says. “At this stage, Medusa concurrently advertises the sale of the data to interested parties before the countdown timer ends. Victims can additionally pay $10,000 in cryptocurrency to add a day to the countdown timer.”
Whether Medusa actually sells stolen data, or merely wields the threat of it, isn’t clear. Russian-speaking ransomware groups, such as Medusa, also have a nebulous relationship with the Russian state, meaning stolen data may get shared with Moscow’s security and intelligence apparatus.
Ties to Initial Access Brokers
To fuel its attacks, like many other RaaS groups, Medusa avails itself of the wider cybercrime ecosystem. “Potential payments between $100 and $1 million are offered to these affiliates with the opportunity to work exclusively for Medusa,” the alert says.
The bureau said initial access brokers who work with Medusa often rely on these two tactics: phishing campaigns designed to obtain legitimate credentials and exploiting known, unpatched vulnerabilities in an organization’s network to gain initial access. Among the known vulnerabilities exploited to deliver Medusa ransomware are a ScreenConnect authentication bypass vulnerability tracked as CVE-2024-1709 and a Fortinet EMS SQL injection flaw tracked as CVE-2023-48788.
BlackFog said the group’s ransom demands have sometimes exceeded $40 million. Such demands, typically publicized by attackers, are meant to grab headlines and sharpen their double-extortion play, experts say. Whether a victim pays – by one recent measure, about a quarter of organizations do – and what they pay never gets disclosed by criminals (see: Ransomware: Victims Who Pay a Ransom Drops to All-Time Low).
For organizations weighing paying, law enforcement agencies caution victims that there’s no evidence in the history of ransomware that any extortionist has ever honored a data-deletion promise, and even paying for a decryptor may not lead to a working one being delivered.
The U.S. federal alert came the same day that CISA announced cancellation of funding for the MS-ISAC, which it previously shared under a cooperative agreement with the Center for Internet Security, a U.S. nonprofit launched in 2020 to “help people, businesses and governments protect themselves against pervasive cyberthreats.” The CIS hasn’t detailed what might happen next with MS-ISAC, which counts more than 17,000 U.S. state, local, tribal and territorial governments as users (see: CISA Defunds Threat-Sharing Hubs for States and Elections).
The threat posed by multiple ransomware groups continues, with researchers tracking what appears to have been a surge in attacks across recent months.