NEON Attacked by Medusa Ransomware Gang

Overview

Northeast Ohio Neighborhood Health Services (NEON) has been attacked by the ransomware gang Medusa. NEON is a Federally Qualified Health Center (FQHC) network of community health centers dedicated to improving access to health care and reducing health disparities in Greater Cleveland. Its mission is to provide quality, personalized, and family-oriented comprehensive healthcare services to Northeast Ohio residents at a reasonable cost, with professional, dedicated employees, while employing the most current healthcare practices that are responsive to community needs for the prevention and treatment of disease.

Medusa Ransomware

Medusa is a Ransomware as a Service (RaaS) that emerged in the summer of 2021 and has become one of the more active RaaS platforms. The attack volumes were inconsistent in the first half of 2023, with a resurgence of activity in the latter half of the year. The attackers employ various tactics to avoid detection and hinder recovery, such as restarting infected machines in safe mode, deleting local backups, disabling startup recovery options, and deleting VSS Shadow Copies to prevent encryption rollback.

Attack Patterns

Medusa intensified its attacks towards the end of 2022 and remained active in the first quarter of 2023, although there has been a decrease in activity in the second quarter. The ransom demands by Medusa are typically in the millions of dollars, depending on the target organization's financial capabilities. The ransomware is spread through malicious email attachments (macros), torrent websites, or malicious ad libraries. Medusa is known to target various industries, with a focus on healthcare, pharmaceutical companies, and public sector organizations.

Double Extortion Scheme

Medusa employs a double extortion scheme where they exfiltrate some data before encrypting it. However, the affiliate attackers who carry out the attacks on behalf of Medusa are only offered up to 60% of the ransom amount if paid.