Attacks using a type of ransomware called Medusa have grabbed headlines and crippled organizations in critical industries including health care. Now, the FBI is asking companies and individuals to take extra steps to protect important accounts, including Gmail and Outlook.
The actors behind the attacks uses classic strategies, such as tricking a recipient into downloading a malicious program to gain access to accounts. Once inside a system, the attackers use Medusa to snake their way through the network until they get their hands on sensitive data, which they then hold for ransom. According to one data leaks site, the hackers have asked victims for $100,000 to $15 million in exchange for not releasing data to the public.
There are a few steps individuals can take to protect themselves and their employers, according to an advisory from the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) posted last week. If you use an email account or VPN and haven’t turned on two-factor authentication and checked for software updates, now’s the time.
Here’s a short cybersecurity to-do list as Medusa and other cyberthreats make the rounds.
Often, bad actors trick employees by using websites, URLs and email addresses that are just a letter or two off from their legitimate counterparts. For example, [email protected] becomes [email protected]. If an email looks suspicious, hunting for alternate spellings is a good first line of defense.
If an email arrives promising a bonus you didn’t know you were receiving, you probably aren’t receiving it. Hackers use whatever is most likely to get clicks, so get familiar with some classic phishing lures, such as an “accidental” email from HR with an attachment titled “Companywide salaries.” Fake Amazon gift cards and DocuSign links are also popular, says Peter Quach, director of client relations at security firm Polito.
Excitement compels people to click, but so does anxiety. “Your Amazon package has been delayed” is another favorite.
Hackers also prey on people’s tendency to defer to authority. Fake emails from CEOs or senior executives asking for account credentials — or wire transfers — are a common tactic.
Be wary of links and file downloads from social media, file-sharing tools and email marketing. LinkedIn, Microsoft Office 365, Google’s G-Suite and Dropbox have all been home to messages containing ransomware.
Written messages aren’t the only way to compromise a network. Cybercriminals might also just pick up the phone, pose as a colleague and ask you for account information. Always authenticate requests through another channel or check with IT.
Two-factor authentication adds an extra way to verify your identity when you’re logging in, rather than just a password that can be guessed or stolen.
For all your important accounts — such as Gmail, Outlook, VPNs, banking and health — go into your settings and turn on two-factor authentication. Next time you log in, the account will ask for an extra step to make sure it’s you, such as punching in a six-digit code sent to your text messages or approving the sign-in attempt from a separate authenticator app.
We recommend using an authenticator app on your phone rather than relying on text messages (bad actors love to remotely take over phone numbers). You can go to the Apple or Google app stores to download authenticator apps such as Okta Verify, Google Authenticator or Microsoft Authenticator.
You can download the data from important accounts so it’s still accessible in case of a hack.
For Gmail, for instance, go to the Google Takeout tool. You can pick what to download, but make sure “Mail” is selected.
When you’re ready, scroll to the bottom and click “next step.” Then choose where you want to receive the downloaded files, what format they should be in and how often you want to back up the account. Then click “create export.” It might take a few hours or days for the download to be ready.
You might feel tempted to pretend as though nothing happened and hope no one notices. But don’t do that.
“That is often the first reaction, and it is not ideal,” said Ryan Kalember, chief strategy officer at security firm Proofpoint. “When you fall for something, the attacker still has some window of time where they have to figure out what they’ve just got and whether it’s even worth taking advantage of.”
That gap — or dwell time, in industry lingo — is incredibly valuable for your company’s IT team. If you report what happened right away, odds are you’re in line with your company’s security policies and have little to worry about. Phishing emails are common, and it’s tough to expect employees to get it right 100 percent of the time.
But if you brush the incident under the rug, it could come back to haunt you. When ransomware attackers use phishing to access company networks, they do so through a compromised employee account. By reporting your encounter with a phishing email to your IT team, you distance yourself from any subsequent malicious activity coming from your accounts.
