In the wake of the cyberattack on the Philippine Health Insurance Corporation’s (PhilHealth) website last Friday, the Department of Information and Communications Technology (DICT) has issued a technical advisory on the Medusa ransomware.
The advisory was sent as a memorandum for all government agencies describing what the Medusa ransomware is and how it can cripple the IT system of an office.
The Medusa ransomware was first detected in 2021 and the US’ Federal Bureau of Investigation, the Cybersecurity and Infrastructure Agency (CISA), the Department of the Treasury, and the Financial Crimes Enforcement Network released a joint cybersecurity advisory on the MedusaLocker ransomware in 2022.
The MedusaLocker ransomware gains access to victim devices through vulnerable remote desktop protocol and frequently used email phishing and spam email campaigns to which the ransomware is directly attached.
To avoid or prevent this, the DICT said the use of pirated software and unlicensed programs in all government offices must be prohibited, especially those that are downloaded from the internet.
The DICT has outlined a series of recommended security measures to safeguard against the Medusa ransomware threat, including:
Regularly monitoring the attack surface and port inventory of various systems.Establishing robust backup protocols for files, systems, processes, and digital assets.
- Implementing a security information and event management system.
- Installing anti-malware, endpoint detection and response, and extended detection and response solutions in all government offices.
- Enforcing network segmentation.
- Vigilantly scrutinizing suspicious emails, especially those originating from unknown contacts.
- Reviewing access management policies, particularly for individuals in work-from-home arrangements, especially those using non-government-issued computers.
- Ensuring all installed programs are up-to-date.
- Implementing account lockout policies to thwart brute force attacks.
Crafting a comprehensive recovery plan that maintains and retains multiple copies of sensitive or proprietary data and servers in physically separated, segmented, and secure locations.
Conducting education and training sessions for IT and cybersecurity personnel on incident response procedures in the event of cyber incidents.
Once the Medusa ransomware infiltrates a system, it proceeds to terminate over 280 Windows services and processes, including those associated with mail servers, database servers, backup systems, and security applications—actions designed to facilitate file encryption.
The ransomware deploys a ransom note text file, instructing victims on how to contact the attackers through TOR chat or a TOX ID to initiate ransom payment, typically directed to a specific Bitcoin wallet address.