The Department of Information and Communications Technology (DICT) released on Sunday, September 24, a Technical Advisory on the Medusa Ransomware for the reference of government agencies and the public.

As stated in the Advisory, the Medusa Ransomware is distributed by exploiting publicly exposed Remote Desktop Protocol (RDP) servers either through brute force attacks, phishing campaigns, or exploitation of existing vulnerabilities. Once inside the network, the Medusa Ransomware will then move laterally on the network to infect other machines via Server Message Block (SMB) or by exploiting the Windows Management Instrumentation (WMI).

The DICT asks all government agencies and the public to refer to the technical advisory through this link: https://dict.gov.ph/.../2023/09/DICT-Medusa-Advisory.pdf for further details about the Medusa Ransomware and the measures that must be implemented to prevent the said ransomware from accessing systems and devices. These include:

• Regular monitoring of the organization’s attack surface and conduct of port inventory of various systems; 

• Backing up files, systems, processes, and other digital assets; 

• Implementing a security information and event management system and mandatory installation of anti-malware, EDR (End-point Detection Response) and XDR (Extended Detection and Response) in all government offices;

• Implementing network segmentation; 

• Prohibiting the use of pirated software and unlicensed programs in all government offices, especially those downloaded from the internet;

• Checking of any suspicious emails, especially those received from unknown addresses;

• Reviewing and updating BYOD (bring your own device) policies of government offices; 

• Reviewing of access management policies of the organization’s digital assets on work-from-home arrangements, especially including the use of non-government-issued computers;

• Updating of all installed programs;

• Implementing account lockout policies to defend against brute force attacks; and

• Implementing a recovery plan that maintains and retains multiple copies of sensitive or proprietary data and servers in physically separate, segmented, and secure locations.

For technical assistance and support, government agencies are urged to contact the National Computer Emergency Response Team of the DICT Cybersecurity Bureau at cert-ph@dict.gov.ph or at 8920-01-01 local 1708 and 2378.