Attack Update—FBI Warns Email And VPN Users Activate 2FA Now

Forbes

24-03-2025

As Medusa strikes, FBI issues stark warning.
Update, March 24, 2025: This story, originally published March 22, has been updated with news of another ransomware-as-a-service threat actor and more information from security professionals regarding the Medusa campaign following the FBI enable 2FA now warning.
The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency recently issued a joint advisory warning that two-factor authentication needed to be activated for all webmail and VPN accounts as a matter of urgency. That public alert came in the wake of ongoing attacks using Medusa malware, a dangerous ransomware-as-a-service platform enabling cyber criminals to carry out highly effective campaigns against enterprises. Now, security researchers have uncovered a vital component of those attacks, used to disable anti-malware protections. Despite this new revelation, which hopefully may help in the fight against the Medusa threat, enterprises are advised to stick to the FBI 2FA advice when it comes to webmail and VPN services.
Medusa is a well-known, and seemingly commonly deployed, ransomware-as-a-service provider. Ransomware as a what? Sadly, just like many other criminal activities such as phishing attacks and infostealer campaigns, ransomware threats can effectively be rented out to anyone who is willing to pay the fee. No great technical skill is required, no genius coder to recruit, and no criminal masterminds are needed. Just the money and malicious will to attack innocent parties for profit.
The FBI warning came in response to more than 300 victims falling to Medusa attacks since they started in 2021. FBI investigations in recent months into ongoing attacks revealed a 'dossier of tactics, techniques, and procedures, indicators of compromise, and detection methods associated with the threat actors.' All of which led to the public cybersecurity advisory AA25-071A, which urged all organizations to require two-factor authentication for all services where possible, in particular for webmail such as Gmail, Outlook and others, along with virtual private networks and any accounts that can access critical systems.
Although Medusa was viewed as a more minor, lower-profile ransomware operation when it was first seen in June 2021, everything changed in 2023 when the cybercrime group opened a dedicated leak site. Every month since then new victims have been added to the site. 'Currently, the total number of victims listed stands at 410,' Tim Mitchell, a senior researcher at the Secureworks Counter Threat Unit, said, 'with February 2025 accounting for the highest number of victims listed in a month at 34.' As Mitchell went on to explain, however, leak site listings only present part of the ransomware story, providing a partial view of victim numbers. Remember that the FBI has confirmed that more than 300 of those victims sit in the critical infrastructure sector. 'The group operates a double extortion model and uses phone calls to pressurize victims to pay,' Mitchell warned. And paying the ransom is no guarantee that the extortion will stop, as Mitchell explained. 'In one incident, the victim, who had already paid a ransom, was contacted by a different Medusa threat actor,' Mitchell said, 'and asked to pay half of the ransom again because the negotiator had stolen the previous payment.'
Elastic Security Labs has been monitoring a financially motivated threat campaign that deployed the Medusa ransomware in question, specifically using a heartcrypt-packed loader for these attacks. 'This loader was deployed alongside a revoked certificate-signed driver from a Chinese vendor we named Abyssworker,' Cyril François, a senior malware research engineer with the Elastic Security Labs Team, said 'which it installs on the victim machine and then uses to target and silence different endpoint detection and response vendors.' The methodology is what has become known as a bring-your-own-vulnerable driver attack that is designed to disable security protections. While being too technical for a news story such as this, I would recommend all enterprise defenders read the Elastic Security labs analysis and implement mitigations accordingly. All the time, of course, while still following the advice from that FBI warning.
Medusa isn't the only ransomware-as-a-service that enterprises need to worry about. Hellcat is also making a name for itself, according to a warning from Nick Tausek, lead security automation architect at Swimlane, who told me that it's a 'pretty polished ransomware-as-a-service operator, with an established dark web presence and recruiting operations.' Known for their unique ransom notes which take cultural references into account and often use humor in order to attract as much media attention as possible, Hellcat isn't a threat you can laugh off. 'Hellcat is also known for targeting the highest-value data for encryption, ransom, sale, and release,' Tausek said, 'maximizing impact while minimizing the chances of early detection.'
Just like the FBI, Tausek recommended that enterprises should use the strongest authentication methods available and ensure that 2FA is enabled where possible. 'As long as outdated credentials remain valid and third-party platforms are overlooked,' Tausek concluded, 'attackers like Hellcat will continue to exploit these oversights with devastating consequences.'