The DICT emphasized the value of regular attack surface monitoring, port inventories of various systems, and regular backups of files, systems, processes, and other digital assets.
DICT said that when executed, the aforementioned ransomware terminates over 280 Windows services and processes, including programs that could potentially prevent file encryption.
Meanwhile, Philhealth targeted to restore its system on Sept. 25.
DICT issues guidelines, security measures to combat Medusa ransomware
Sep 24, 2023 12:06 PM
At a glance
The Department of Information and Communications Technology (DICT) on Sunday, Sept. 24 issued a list of preventive measures and security actions to be taken in the event that a system becomes infected with the Medusa ransomware.
The DICT emphasized the value of regular attack surface monitoring, port inventories of various systems, and regular backups of files, systems, processes, and other digital assets.
A security information and event management system's implementation and the requirement for anti-malware software tools to be installed in all government offices were also emphasized.
The DICT also advised the implementation of network segmentation, the banning of unlicensed and pirated software in all government offices, and the scrutiny of suspicious emails, particularly those coming from unknown addresses.
Here is the complete list of recommended preventions and security actions:
The DICT issued the preventive measures to raise awareness about the Medusa ransomware threat, particularly in light of the recent hacking incident at the Philippine Health Insurance Corporation (PhilHealth) on Sept. 22.
RELATED STORY:
https://mb.com.ph/2023/9/22/phil-health-paralyzed-by-medusa-ransomware-attack
According to the report, the Medusa group has demanded a ransom of USD$300,000 and threatened the government to release confidential data on its system.
READ:
Meanwhile, Philhealth targeted to restore its system on Sept. 25.
Medusa ransomware
The DICT said in a technical advisory that the Medusa ransomware is “distributed by exploiting publicly exposed Remote Desktop Protocol (RDP) servers either through brute force attacks, phishing campaigns or by exploiting existing vulnerabilities."
"Once inside the network, the Medusa ransomware will then move laterally on the network to infect other machines via Server Message Block (SMB) or by exploiting the Windows Management Instrumentation (WMI)," DICT noted from its recent observation since June 2021.
Furthermore, it said that when executed, the aforementioned ransomware terminates over 280 Windows services and processes, including programs that could potentially prevent file encryption.
"Included in this category are Windows services for mail servers, database servers, backup servers, and security applications," DICT said.
"The ransomware will then delete Windows Shadow Volume Copies to prevent them from being used to recover files," it added.
Afterward, Medusa encrypts files with various extensions, such as .docx, .xlsx, .pptx, .pdf, .jpg, .png, .mp3, and more.
"It uses an AES-256 encryption algorithm and appends the .MEDUSA extension to the encrypted files," the DICT said.
"The ransomware then creates a ransom note text file named !!!READ_ME_MEDUSA!!!.txt. The ransom note instructs the victim to contact the attacker via a TOR chat or a TOX ID," it added.
