Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Medusa. Show all posts
Syn
BBC Reporter Cyber Attacks Medusa Ransomware Syn

Medusa Ransomware Gang Offers BBC Reporter Millions for Inside Hack Access

 

A ransomware operation claiming affiliation with the Medusa gang attempted to recruit BBC cybersecurity correspondent Joe Tidy as an insider threat, offering him substantial financial incentives in exchange for access to the broadcaster's systems. 

The threat actor, using the alias "Syndicate" (later shortened to "Syn"), contacted Tidy in July via the encrypted messaging app Signal, proposing an arrangement that would give him a percentage of the ransom proceeds. The initial proposition involved offering Tidy 15% of any ransom payment if he provided access to his work laptop and BBC systems. 

The cybercriminals planned to infiltrate the organization's network, exfiltrate sensitive data, and demand payment in cryptocurrency while threatening to release stolen information. As negotiations continued, Syn increased the offer to 25%, suggesting the total ransom demand could reach tens of millions of dollars and claiming Tidy "wouldn't need to work ever again".

To establish credibility, the threat actor offered 0.5 Bitcoin (approximately $55,000) as an upfront trust payment through escrow on a hacker forum. Syn referenced previous successful insider recruitment operations, citing cases involving a UK healthcare company and a US emergency services provider, suggesting such collaborations were common in their operations.

The Medusa ransomware operation has operated since January 2021 and evolved from a closed operation to a ransomware-as-a-service model with affiliates. According to a March report from CISA, the gang has compromised over 300 critical infrastructure organizations in the United States. The operation's core developers recruit initial access brokers through cybercrime forums and darknet marketplaces while maintaining central control over ransom negotiations.

Tidy, who reports on cybersecurity topics, believes the attackers likely mistook him for a technical employee with elevated system privileges rather than a journalist. After consulting with BBC editors, he engaged with the threat actor to gather intelligence on their methods. When Tidy delayed responding to their demands, the criminals launched an MFA bombing attack, flooding his phone with two-factor authentication requests in an attempt to force approval of a malicious login.

The journalist promptly contacted BBC's information security team and was disconnected from the organization's infrastructure as a precautionary measure. Following several days of silence from Tidy, the alleged Medusa representative deleted their Signal account.
Read more »
Ransomware
Cyber Security Cybersecurity Hacking Medusa Ransomware

Authorities Warn Against Medusa Ransomware Surge

 

 
Federal agencies are urging individuals and organizations to stay vigilant against a rising ransomware threat that has affected hundreds of new victims in recent weeks. The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Multi-State Information Sharing and Analysis Center (MS-ISAC) have jointly issued an advisory detailing the tactics used by Medusa ransomware and how to mitigate its impact.

First identified in June 2021, Medusa is a ransomware-as-a-service (RaaS) variant that primarily targets critical infrastructure sectors, including healthcare, education, legal, insurance, technology, and manufacturing. Through the RaaS model, the ransomware's developers delegate attack execution to affiliates, who have collectively compromised over 300 victims in the past month alone.

Initially, Medusa operated as a closed ransomware variant, where the same group that developed the malware also carried out attacks. However, it has since evolved into an affiliate-driven model, with developers recruiting attackers from dark web forums and paying them between $100 to $1 million per job.

Cybercriminals behind Medusa employ two primary attack vectors:
  • Phishing campaigns – Fraudulent emails trick users into downloading malicious attachments or clicking harmful links.
  • Exploiting unpatched vulnerabilities – Attackers take advantage of outdated software to infiltrate company networks.

Once inside, they utilize various legitimate tools to expand their access:

  • Advanced IP Scanner and SoftPerfect Network Scanner – Used to detect exploitable network vulnerabilities.
  • PowerShell and Windows command prompt – Help compile lists of targeted network resources.
  • Remote access tools like AnyDesk, Atera, and Splashtop – Assist in lateral movement across the system.
  • PsExec – Enables execution of files and commands with system-level privileges.
To avoid detection, attackers often disable security tools using compromised or signed drivers. They also delete PowerShell history and leverage Certutil to conceal their activity.

Similar to other ransomware strains, Medusa follows a double-extortion strategy. Not only do attackers encrypt stolen data, but they also threaten to leak it publicly if the ransom is not paid. Victims typically have 48 hours to respond, after which they may be contacted via phone or email.

A Medusa data leak site displays ransom demands along with a countdown timer. If victims need more time, they can delay the data release by paying $10,000 in cryptocurrency per extra day. Meanwhile, attackers may attempt to sell the stolen data to third parties even before the timer expires.

Federal authorities recommend the following preventative measures to reduce the risk of Medusa attacks:
  • Patch vulnerabilities – Keep all operating systems, software, and firmware updated.
  • Network segmentation – Prevent attackers from moving across connected systems.
  • Traffic filtering – Restrict access to internal services from untrusted sources.
  • Disable unused ports – Close unnecessary entry points to minimize security risks.
  • Backup critical data – Store multiple copies of important files in an isolated location.
  • Enable multifactor authentication (MFA) – Secure all accounts, especially those used for webmail, VPNs, and critical systems.
  • Monitor network activity – Use security tools to detect unusual patterns and alert administrators to potential threats.
By implementing these strategies, organizations can significantly lower their chances of falling victim to Medusa ransomware and other evolving cyber threats.
Read more »
Subscribe to: Comments (Atom)