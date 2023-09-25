The Department of Information and Communications Technology (DICT) has advised all government agencies and the general public to be vigilant regarding the Medusa Ransomware.

In its recent Sunday advisory, the DICT mentioned that the Medusa Ransomware spreads by taking advantage of publicly accessible Remote Desktop Protocol (RDP) servers, utilizing methods like brute force attacks, phishing campaigns, or exploiting pre-existing vulnerabilities.

The department stated that once inside the network, the Medusa Ransomware will spread throughout by infecting other devices via Server Message Block (SMB) or the Windows Management Instrumentation (WMI).

The most recent attack was on PhilHealth

The DICT asks all government agencies and the public to refer to the technical advisory through https://dict.gov.ph/wp-content/uploads/2023/09/DICT-Medusa-Advisory.pdf for further details about the Medusa Ransomware and the measures that must be implemented to prevent it from accessing systems and devices.

These include:

Regular monitoring of the organization’s attack surface and conduct of port inventory of various systems;

Backing up files, systems, processes, and other digital assets;

Implementing a security information and event management system and mandatory installation of anti-malware, EDR (End-point Detection Response) and XDR (Extended Detection and Response) in all government offices;

Implementing network segmentation;

Prohibiting the use of pirated software and unlicensed programs in all government offices, especially those downloaded from the internet;

Checking of any suspicious emails, especially those received from unknown addresses;

Reviewing and updating BYOD (bring your own device) policies of government offices;

Reviewing of access management policies of the organization’s digital assets on work-from-home arrangements, especially including the use of non-government-issued computers;

Updating of all installed programs;

Implementing account lockout policies to defend against brute force attacks; and

Implementing a recovery plan that maintains and retains multiple copies of sensitive or proprietary data and servers in physically separate, segmented, and secure locations.

The DICT volunteered to provide technical assistance and support to government agencies by contacting the National Computer Emergency Response Team of the DICT Cybersecurity Bureau at cert-ph@dict.gov.ph or call at 8920-01-01 local 1708 and 2378.