The FBI issues mitigation advice as Medusa ransomware attacks continue.Getty ImagesThe Federal Bureau of Investigation has recently warned of weird ransomware attack threats delivered by the United States Postal Service, yes really, alongside a dangerous ransowmare campaign from so-called Ghost attackers, and some of the most sophisticated threats against Gmail users ever. Having previously also advised users to use two-factor authentication to mitigate such attacks, a newly published FBI industry alert has rolled the mitigation advice into one as ongoing attacks by the Medusa ransomware gang continue. Enable 2FA for webmail services such as Gmail and Outlook, as well as for VPNs, the FBI has warned. And enable it now. Heres what you need to know.FBI And CISA Issue Medusa Ransomware Industry Joint AlertMedusa, a highly dangerous ransomware-as-a-service provider, known to have impacted at least 300 victims from the critical infrastructure sector since the campaign was first observed in June 2021, is known to employ both social engineering and unpatched software vulnerability exploitation during attacks. FBI investigations as recently as February have enabled intelligence agencies to assemble a dossier of tactics, techniques, and procedures, indicators of compromise, and detection methods associated with the threat actors.In partnership with the U.S. Cybersecurity and Infrastructure Security Agency, the FBI has issued a joint March 12 cybersecurity advisory against the backdrop of attacks by the Medusa ransomware group. The full FBI alert, AA25-071A, goes into great depth regarding the technicalities of the Medusa operation. As such, it is of importance that this should be read by all cyber-defenders. However, for the purposes of this article I am going to focus on the attack mitigation advice offered by the FBI.Mitigating MedusaFBI Says Enable 2FA For Webmail And VPNs NowWhen it comes to the immediate, as in right now, actions that all organizations should be taking in order to mitigate the Medusa ransomware attack campaigns, the FBI has recommended the following:Require two-factor authentication for all services where possible, but in particular for webmail such as Gmail, Outlook and others, along with virtual private networks and any accounts that can access critical systems.Require all accounts with password logins to use long passwords and consider not requiring frequently recurring password changes, as these can weaken security.Retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location.Keep all operating systems, software, and firmware up to date. Prioritize patching known exploited vulnerabilities in internet-facing systems.Identify, detect, and investigate abnormal activity and potential traversal of the indicated ransomware with a networking monitoring tool.Monitor for unauthorized scanning and access attempts.Filter network traffic by preventing unknown or untrusted origins from accessing remote services on internal systems.Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.Disable command-line and scripting activities and permissions.Disable unused ports.Despite FBI And CISA Advice, The Hackers Must Be LaughingNot everyone is happy with the advice that has been given by the FBI and CISA with regard to the Medusa ransomware group threat. Take Roger Grimes, a data-driven defence evangelist at KnowBe4, who said that it continues a long tradition of warning people about ransomware that spreads using social engineering, that then does not suggest security awareness training as a primary way to defeat it. Grimes said that, in the experience of KnowBe4, social engineering is involved in 70% - 90% of all successful hacking attacks. Yet, despite the official alert noting that social engineering is one of the primary methods of distributing the ransomware threats, awareness isnt mentioned in the 15 recommended mitigations. It's like learning that criminals are breaking into your house all the time through the windows and then recommending more locks for the doors, Grimes said. Warning that such a continued misalignment between the ways we are most often attacked by threat actors and their malware programs and how we are told to defend ourselves enables hackers to continue to be successful, Grimes concluded that the hackers must be laughing."