DICT warns government agencies against Medusa ransomware

The Department of Information and Communications Technology advised government agencies to review policies regarding employees bringing their own devices and the access management policies on work-from-home arrangements due to the Medusa ransomware.

In a memorandum dated September 24, 2023, DICT Undersecretary for Cybersecurity, Connectivity, and Upskilling Jeffrey Ian Dy warned against the Medusa ransomware, which the agency had observed since June 2021.

According to the DICT, the Medusa ransomware is distributed by exploiting publicly exposed Remote Desktop Protocol (RDP) servers through brute force attacks, phishing campaigns, or by exploiting existing vulnerabilities.

The ransomware is said to move laterally on the network to infect other machines through Service Message Block (SMB) or by exploiting the Windows Management Instrumentation (WMI).

“When executed, the Medusa ransomware terminates more than 280 Windows services and processes for programs that could prevent file encryption,” the memorandum read.

Among the services terminated are mail, databases, backup servers, and security applications. The ransomware will then delete Windows Shadow Volume Copies to prevent them from being used to recover files.

Moving forward, the DICT called on government agencies to review and update their “bring your own device” (BYOD) policies, and the access management policies of their digital assets on work-from-home arrangements, especially on the use of non-government issued computers.

It also called for the regular monitoring of their attack surface and conduct port inventories, backup files, systems, processes, and other digital assets, and implement a security information and event management system.

The memorandum also recommended the update of all installed programs, the implementation of account lockout policies, and a recovery plan that maintains multiple copies of sensitive or proprietary data. — DVM, GMA Integrated News