There has been a recent uptick in news articles about the Medusa Ransomware variant being used in Outlook and GMAIL attacks on companies. Medusa, a particularly dangerous variant, has affected numerous sectors, including medical, education, legal, insurance, tech, and manufacturing. Medusa was first brought to our attention back in 2021 by CISA the Cybersecurity and Infrastructure Agency. Since then – a group that goes by the name of Spearwing has been actively using the Medusa Ransomware often through phishing attempts to exfiltrate data, encrypt it and then use it to extort them for large sums of money.
At IntegraMSP, we take the threat of ransomware like Medusa very seriously. As part of our comprehensive cybersecurity strategy, we implement several key measures to protect our clients from such threats.
HOW DOES INTEGRAMSP MITIGATES THREATS LIKE MEDUSA RANSOMWARE?
THREAT INTEL AND RESEARCH:
We utilize a Secure Operations Center (SOC) whose expert threat team with the Adversary Pursuit Group, is continually gathering and organizing real-time threat intelligence, patching, and workarounds in a centralized hub. Our SOC is 24/7 support that is actively monitoring our clients’ environments for threats. If they see activity that is deemed ‘suspicious’ they reach out to our team while isolating the activity until it can be confirmed as safe or is remediated. The SOC team is led by NSA and former government operatives that are constantly trained on the latest threat vectors.
COMPREHENSIVE SECURITY ASSESSMENTS:
We conduct thorough security assessments to identify potential vulnerabilities within our clients' systems. This proactive approach helps to pinpoint weak spots before cyber attackers can exploit them.
ENDPOINT DETECTION AND RESPONSE (EDR) /MANAGED DETECTION AND RESPONSE (MDR):
The first step in endpoint protection comes through Endpoint Detection and Response (EDR) to continuously monitor for unusual activities and potential ransomware threats. By using cutting-edge technology, we can quickly identify and neutralize threats before they cause significant damage. EDR continually monitors endpoints and logs relevant activity on managed devices. It then aggregates the telemetry data to provide event logs, authentication attempts, application use and other data to our team in real-time. Through the use of AI machine learning and analytics based on global threat intelligence – EDR is able to flag potential attacks and alert as well as isolate endpoints so that we can investigate and remediate if necessary. This tool then stores data for future use for forensics if needed to inform future investigations.
In addition to EDR, IntegraMSP uses an additional layer of Managed Detection and Response (MDR). When an attack occurs, response speed is crucial. IntegraMSP offers 24/7 MDR to quickly address threats, minimizing the time between detection and remediation. By isolating endpoints immediately, this technology prevents the threat from spreading. Additional Identify Response provides context on where Single Sign On (SSO) logins are used to protect your environment.
MULTIFACTOR AUTHENTICATION/IDENTITY MANAGEMENT:
We mandate multifactor authentication (MFA) for all services and accounts accessing critical systems. MFA adds an additional layer of security, making it much harder for unauthorized users to gain access. IntegraMSP also uses a tool to detect unauthorized users/login attempts/re-routes/unauthorized countries, etc. IntegraMSP additionally utilizes a further MFA tool that is an identity management tool. This tool provides Phishing-Resistant MFA with 2 or more authentication methods. It is also able to define and manage trusted endpoints, has customizable policies based on role, device and location.
REGULAR UPDATES AND PATCHING:
Keeping all operating systems, software, and firmware up to date is crucial. We ensure that our clients' systems are regularly updated to protect against known vulnerabilities that ransomware can exploit.
NETWORK SEGMENTATION:
We have the ability through our network tools to segment networks to contain potential ransomware outbreaks and prevent them from spreading. This ensures that if one part of the network is compromised, the threat is isolated and cannot affect the entire system. This is done through segmenting Guest Networks, Adaptive Security policies and tags. We can also isolate traffic from outside sources vs internal networks.
SECURE REMOTE ACCESS:
For secure remote access, we have now implemented Secure Access Service Edge (SASE) which is designed for zero-trust network access. This solution allows remote connection without the security risks that come with conventional VPN’s and Remote access tools. Through multi-layered security including 2FA and full traffic inspection with AES 256-bit encryption – our clients are able to securely access their network remotely. These tools provide a secure connection, preventing unauthorized access to our clients' internal systems.
BACKUP CONTINUITY AND DISASTER RECOVERY SOLUTION FOR UNINTERRUPTED BUSINESS OPERATIONS (BCDR):
Maintaining regular offline backups of data is a critical part of our strategy. Using a proven Backup/Continuity Disaster Recovery solution - we ensure that backups are encrypted and secure, providing a recovery option in the event of a ransomware attack. We are able to protect your data with multi-layered security that includes immutable backups, hardened appliances, end-to-end data encryption, geographically distributed cloud storage, ransomware detection, forced two-factor authentication, role-based access control, and a patented Cloud Deletion Defense™. Using this BCDR system – we are able to virtualize our clients’ systems either locally or in the cloud to allow them to get back to business quickly. With our BCDR you are able to avoid extended outages and data loss by quickly restoring your data.
ACCESS CONTROL AND MONITORING:
We continuously monitor for unauthorized access attempts and network scans. By filtering network traffic and blocking untrusted origins, we reduce the chances of ransomware infiltrating our clients' systems. Using a DNS filtering tool, we are further able to identify risky behaviors with user analytics, isolate devices with Zero-Trust isolation through Geo IP and network filtering.
ZERO-TRUST ENDPOINT PROTECTION
Using a powerful zero-trust tool, IntegraMSP is able to control network traffic and block untrusted software and block all applications and scripts from running that are not explicitly allowed, including ransomware. The tool is also able to ringfence applications and systems to prevent exploits and attacks from weaponized legitimate tools such as Powershell by limiting what the software can due. It is is NIST, HIPAA, CIS, PCI and Essential Eight compliant.
EMPLOYEE TRAINING:
Educating employees about cyber threats and safe practices is essential. We provide regular training sessions with a tool that helps train through targeted email campaigns to ensure that staff members recognize phishing attempts and other common attack vectors.
EMAIL SECURITY
IntegraMSP uses a multi-prong solution to catch and prevent phishing and malware before it hits our clients.
The first-line of defense is provided by email security which is an anti-phishing, anti-malware solution that works in tandem with Microsoft 365. This tool uses machine-learning models trained on attacks that bypass Microsoft 365, analyzing over 300 indicators per message. Software as a Service (SaaS) integration provides role-based models and tight mailbox control to catch what external email gateways can’t. With the most advanced sandboxing and active content analysis in the industry, it offers the ability to quarantine threats before users download them. The tool sandboxes every file before downloading for testing as well as quarantines the file and performs threat extraction. DLP security tools detect leaks of PCI, HIPAA, FERPA, PII and other sensitive information.
Further layering on a DMARC tool, IntegraMSP is able to implement powerful, domain-level protection to secure our clients’ domains against phishing, spoofing and business email compromise (BEC). Using this tool we can verify and validate legitimate sending sources and block attempts at brand impersonation.
INCIDENT RESPONSE PLANNING:
In the unfortunate event of a ransomware attack, we have a robust incident response plan in place. Our team is prepared to act swiftly to contain the threat, recover data, and restore normal operations with minimal downtime.
At IntegraMSP, our goal is to provide a robust defense against ransomware like Medusa, ensuring that our clients' data and operations remain secure.
