Medusa Ransomware Operation Targets Water for People: $300,000 Ransom Demanded

Security Awareness
18 January 2024
Medusa Ransomware

Ransomware as a Service Attack on the NGO Water for People!

It is believed that no one would ever refuse to give a drink to someone thirsty.
However, the world of crime is a completely different world that doesn’t abide by the rules and doesn’t value collective ethics.
This means that cybercriminals, who are not kind-hearted at all, can target anyone without remorse, even non-profit organizations that provide vital goods and services to people around the world.

Recently, Water for People, a non-governmental organization (NGO) established in the early 1990s by the American Water Works Association, was hit by a ransomware attack.

The organization was created in response to growing water shortages in developing countries and currently operates in 9 countries including Bolivia, Guatemala, Honduras, Peru, India, Malawi, Rwanda, Tanzania, and Uganda. It aims to enhance access to clean water for about 200,000 people in the next 8 years.

The Medusa gang claimed responsibility for the attack and demanded a ransom payment of $300,000 within 10 days to prevent them from publishing the stolen data and information.

A Water for People spokesperson confirmed that the stolen data preceded 2021 and as a result, the financial system of the organization has not been compromised. He also assured those concerned that security measures had been put in place to prevent future incidents. The spokesperson stated that the recent cyberattack by Medusa Locker Ransomware did not affect the organization’s work in combating the global water crisis and promoting sustainable access to clean water and sanitation.

“The recent cyber attack by Medusa Locker Ransomware – he said – did not affect our important work combating the global water crisis and promoting sustainable access to clean water and sanitation”.


Although the NGO is reassuring those concerned, it is important to understand that non-profit organizations are not immune to cyberattacks. If the attack on Water For People had been successful, the implications could have been devastating. The potential exposure of sensitive data could compromise the integrity and reliability of the organization, leading to serious repercussions for the communities that rely on it. This could result in a significant loss of trust from donors, ultimately damaging the NGO’s survival.

It is worth noting that just before this attack, Water for People had received a $15 million donation from MacKenzie Scott, the billionaire ex-wife of Amazon founder Jeff Bezos. Although there is no evidence that this donation was the reason for the attack, the suspicion is well-founded.

Non-profit organizations are particularly vulnerable to cyber attacks as they collect and store sensitive user data, including donor and volunteer tax codes, credit card data, personal health information, and more.


The Medusa ransomware

The Medusa ransomware, also known as MedusaLocker, was first identified in September 2019. It primarily targets Windows computers and has been responsible for several attacks on various entities, including companies, government bodies, and healthcare providers.

The group behind the Medusa ransomware encrypts the victim’s data, denying access to their devices, and then demands a ransom to unlock them. The threat is usually the publication of sensitive information.

It’s worth noting that not all criminal gangs are the same. Some, like the DarkSide group, have a code of conduct that prevents them from attacking certain organizations, including schools, non-profit organizations, NGOs, and other socially relevant entities.


One of the ransom notes of Medusa Ransomware (Source: ThreatLabz)


Ransomware-as-a-service, the new service agencies for criminals

Many experts are convinced that the increasingly widespread use of Ransomware-as-a-service (RaaS) has recently played a key role in keeping the spread of ransomware high; it remains one of the types of attacks most widely used by criminals. A 2022 report by Zscaler found that 8 of the 11 most active ransomware variants were RaaS variants.

The RaaS model has become increasingly popular among cybercriminals because it is also accessible to amateur criminals, who are not forced to develop malware on their own.
On the other hand, developers can earn money without carrying out a direct attack and without getting their hands too dirty. They develop and package their malicious tools, organize them into kits and subscriptions (annual, monthly, one-off) and sell them to other criminals on the dark web.

Often, along with the malicious product, developers sell a number of services: technical support; access to private forums for advice and information shared between hackers; access to portals for payment processing (mostly in cryptocurrencies); advice for personalised writing of ransom requests, or for negotiating with victims.
These are real service agencies for those who want to pursue a career in cybercrime, dangerously expanding the attack surface by onboarding unscrupulous, amateur criminals.


How to defend oneself against Ransomware


“We need to pay more attention to the security of our organizations due to these changes.”

It is important to emphasize that awareness is the first step in protecting oneself from cyberattacks.
Although technological tools can help prevent these attacks, the most effective weapon is providing individuals with proper training and education to develop personalized digital habits.
The human factor remains the main factor that puts security at risk.
Therefore, the key words to bear in mind are awareness, attention, effective training, and education, which should be tailored to individual needs, including the use of artificial intelligence and machine learning. 


Articoli correlati

Digital Operational Resilience Act (DORA)

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is a EU regulation that entered into force on 16 January 2023 and will apply as of 17 January 2025. It aims at strengthening the IT security of financial entities such as banks, insurance companies and investment firms and...

read more