On March 12th, 2025, the FBI and CISA issued an alert on Medusa ransomware attacks hitting critical infrastructure in the US and now flooding Gmail.
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-071a
All Gmail users should be on alert.
FBI alerts Gmail users over Medusa Ransomware
https://www.cybersecurity-insiders.com/fbi-alerts-gmail-users-over-medusa-ransomware/
FBI, CISA Raise Alarms As Medusa Ransomware Attacks Grow
MEDUSA RANSOMWARE HIT OVER 300 CRITICAL INFRASTRUCTURE ORGANIZATIONS UNTIL FEBRUARY 2025
Medusa Ransomware: What You Need To Know
https://www.tripwire.com/state-of-security/medusa-ransomware-what-you-need-know
Cybersecurity Insiders also has an article of what to do if your Google Account is hacked or compromised:
WHAT IS MEDUSA?
Medusa is a ransomware attack package that is being targeted at critical US infrastructure and institutions. Once it is downloaded and installed on a user machine, the ransomware will encrypt all the data on the computer and copy the data over the Internet to bad actors. It will then hold the data hostage for a ransom of between $10,000 and $15 Million, and threaten to release the data on the Internet if the ransom is not paid.
HOW IS MEDUSA BEING DELIVERED?
Medusa is being delivered through phishing emails. More recently, phishing emails have flooded Gmail to try to get users to deploy the package. More sophisticated targeted attacks (Spear Phishing) have also been reported that use AI to craft more believable text to better convince victims to click on links or download attachments that result in the ransomware’s installation. Types of phishing emails used for ransomware like Medusa include but are not limited to false content that look like:
1) Delivery notices (Fed Ex, UPS, USPS, DHL, etc) with a delivery receipt to download or click for receipt.
2) IRS notices claiming you owe money.
3) Toll notices claiming you owe money.
4) eBay notices claiming you just bought something and a fake receipt is attached.
5) Virus alerts or IT notices claiming you need to verify your password or download a piece of security software.
6) Telephone messages with a link to the message or an attachment claiming to be the message.
7) Purchase notification emails with fake receipts attached from vendors like Amazon, Wayfair, Kohls, Target, Walmart, etc.
8) Lottery notifications informing the recipient they’re a winner.
9) Emails that look like they came from your boss asking you to buy or do something.
10) Emails from a friend or family member claiming they’ve been a victim of a crime overseas.
11) Any of the above but in USPS letters or text messages trying to get users to go onto a computer and click on a link.
MITIGATION
1) Do not click on or download any attachments from any email from anyone you don’t know. Even if it’s purportedly from someone you know, if it feels off, assume that it is and don’t click on any links or download any attachments. You can also look at the from address and see if you recognize it. If you don’t, it’s definitely phishing.
2) Make sure you have up to date backups of all of your most important files. For Windows users this can be Dropbox, MIT Recommended Code42 Crashplan, or Microsoft Backup onto an external HD. For Mac users this can be Dropbox, Code42’s Crashplan, or Time Machine onto an external HD. For Windows users, best practice is to leave the external backup HDs disconnected until you need to do the backup.
3) Make sure all of your Operating System updates are done so you are running the latest version of your currently installed operating system. Windows 10 users should stay in Windows 10. Do not upGRADE to Windows 11. Mac OS users should not upGRADE to Sequoia. The only Macs that should have Sequoia installed on them are new Macs that have it installed by default.
4) Delete suspicious emails if in doubt. If you are able to forward the suspected phishing or ransomware email as attachment to IS&T at phishing@mit.edu, please do so to help the IS&T Security team analyze the attack and devise strategies to block them.
AFFECTED PLATFORMS
Medusa is written to exploit Microsoft Windows through cmd line and power shell. Though the attack package doesn’t affect Macs for now, a Mac can become a carrier for the ransomware until the file or link finds itself on a Windows machine. Users who are dual platform should not let their guard down, lest they forget which machine they’ve logged into and activate the ransomware accidentally on the targeted platform.
Apple’s Macs Have Long Escaped Ransomware. That May Be Changing
https://www.wired.com/story/apple-mac-lockbit-ransomware-samples
Please let us know if anyone has any questions or concerns.