"You'll Never Need to Work Again": Inside the Medusa Ransomware Gang's Brazen Attempt to Recruit a BBC Journalist

In an extraordinary case that exposes the evolving tactics of ransomware operations, BBC cyber correspondent Joe Tidy revealed in September 2025 that he was directly targeted by the Medusa ransomware gang for insider recruitment. The criminals offered him up to 25% of a potential multi-million-dollar ransom—enough to "never need to work again"—in exchange for providing access to BBC's internal systems. When Tidy refused to cooperate, the attackers escalated to MFA bombing, flooding his phone with authentication requests in a desperate attempt to gain unauthorized access.

This incident provides a rare, first-hand account of how sophisticated ransomware operations actively recruit insiders, offering a disturbing glimpse into the industrialization of cybercrime and the human vulnerabilities that even the most secure organizations face.

‘You’ll never need to work again’: Criminals offer reporter money to hack BBC

Reporter Joe Tidy was offered money if he would help cyber criminals access BBC systems.

BBC News

Executive Summary

Bottom Line Up Front: The Medusa ransomware-as-a-service gang approached BBC cybersecurity correspondent Joe Tidy in July 2025 via Signal, offering him 15-25% of a potential ransom (estimated in the "tens of millions") to provide laptop access to BBC systems. When Tidy stalled, attackers launched an MFA fatigue attack, bombarding him with authentication requests. The incident—thwarted by Tidy's immediate reporting to BBC's security team—reveals the systematic nature of insider recruitment operations and the critical importance of employee security awareness, reporting culture, and robust MFA protocols. This attack method represents a dangerous evolution in ransomware tactics that bypasses technical controls by exploiting human psychology and financial desperation.

The Initial Contact: A Proposition from the Shadows

July 2025: The Message Arrives

Joe Tidy, BBC's cyber correspondent and a journalist who routinely covers cybersecurity threats, received an unsolicited message on the encrypted messaging app Signal from an individual calling themselves "Syndicate" (shortened to "Syn").

The message was direct and chilling:

"If you are interested, we can offer you 15% of any ransom payment if you give us access to your PC."

For most BBC employees, such a message might have been confusing or alarming. For Tidy, who reports on cybercrime and ransomware operations regularly, the context was immediately clear: he was being recruited as an insider threat by a criminal organization.

The Criminal Pitch: Millions for Access

Syn wasted no time establishing credibility and making the proposition enticing. The attacker:

Identified Their Affiliation: Claimed association with Medusa, a notorious ransomware-as-a-service operation that has compromised over 300 organizations since 2021, including critical infrastructure across healthcare, education, manufacturing, and government sectors.

Demonstrated Legitimacy: Sent Tidy a link to a March 2025 CISA warning about Medusa, proudly citing the gang's track record of successful attacks. The document confirmed that Medusa had targeted "more than 300 victims" in just four years of operation.

Escalated the Offer: When Tidy didn't immediately respond, Syn increased the commission from 15% to 25% of the final ransom payment, emphasizing that the amount could be "in the tens of millions." The criminal's logic was simple: demand approximately 1% of the BBC's total revenue as ransom.

Promised Anonymity and Security: Offered complete anonymity for Tidy's participation, citing several past cases where insider recruitment had successfully compromised major organizations. Syn specifically mentioned breaches of a UK healthcare company and a US emergency services provider that allegedly succeeded through rogue insider access.

Provided Upfront Payment: Offered 0.5 BTC (approximately $55,000 at the time) in escrow on a hacker forum before the attack even began, demonstrating financial commitment and attempting to build trust.

Emphasized Financial Motivation: Made it clear this was purely business: "We aren't bluffing or joking – we don't have a purpose media wise we are only for money and money only and one of our main managers wanted me to reach out to you."

The message was clear: cooperate and become wealthy, or miss a once-in-a-lifetime opportunity.

What the Criminals Wanted

Syn's requirements were specific and technically straightforward:

1. Laptop Access: Use Tidy's work laptop as an entry point to BBC's internal network
2. Credential Provision: Provide login credentials for corporate systems
3. Script Execution: Run reconnaissance commands on the work laptop to map the network and identify valuable targets
4. MFA Approval: Approve multi-factor authentication requests when prompted, granting persistent access
5. Ongoing Cooperation: Maintain the appearance of normalcy while attackers moved laterally through BBC's infrastructure

Once inside, the Medusa operation planned to:

• Steal valuable data from BBC servers and databases
• Encrypt critical systems and backups
• Hold the organization to ransom using a double-extortion model (pay or we leak)
• Potentially demand tens of millions based on BBC's annual revenue
• Execute the attack from a position of insider access, bypassing perimeter security

The plan relied entirely on Tidy's cooperation—or at least on wearing him down until he accidentally provided what they needed.

Tidy's Response: Journalism Meets Counter-Intelligence

The Stalling Strategy

Rather than immediately refusing or reporting the contact, Tidy made a calculated decision: engage with the attackers while coordinating with BBC's information security team. This approach served multiple purposes:

1. Intelligence Gathering: Learn about Medusa's tactics, techniques, and procedures
2. Source Documentation: Collect evidence for reporting on insider threat operations
3. Threat Assessment: Determine the sophistication and persistence of the attackers
4. Security Validation: Test BBC's detection and response capabilities

Tidy's position as a cybersecurity journalist gave him unique insight into the threat he was facing, but it also meant he understood the risks of engagement. He walked a careful line between gathering information for his reporting and avoiding any actions that could be misinterpreted as cooperation.

The MFA Bombing Attack

After several days of Tidy stalling and not executing the commands Syn requested, the attackers dramatically escalated their approach.

The Attack Unfolds:

Without warning, Tidy's phone began receiving a rapid-fire barrage of multi-factor authentication requests. The MFA bombing attack—also called MFA fatigue—involved:

Repeated Login Attempts: Using stolen or guessed credentials, the attackers triggered dozens of authentication prompts Psychological Pressure: Each notification demanded immediate action, creating urgency and confusion Fatigue Exploitation: The constant stream of alerts was designed to overwhelm Tidy's patience, hoping he would accidentally tap "approve" just to make them stop Time Pressure: The attack occurred rapidly, giving Tidy limited time to think or verify the legitimacy of the requests

This tactic, perfected by groups like Lapsus$ in previous high-profile breaches (including Uber and Cisco), exploits a fundamental weakness: human psychology. Users bombarded with authentication requests often:

• Assume system glitches and approve to "fix" the problem
• Get frustrated and approve without thinking
• Worry they're blocking legitimate work and approve out of anxiety
• Accidentally tap the wrong button in the chaos

In Tidy's case, the MFA bombing served two purposes:

1. Direct Attack: If successful, it would grant attackers access to BBC systems
2. Pressure Tactic: Demonstrate capability and seriousness, convincing Tidy that resistance was futile

The Security Response

Tidy immediately recognized the MFA bombing for what it was: a desperate escalation by attackers who couldn't achieve their goals through social engineering alone.

Immediate Actions Taken:

1. Contacted BBC Security Team: Tidy reported the MFA bombing attack as it was happening
2. System Isolation: As a precautionary measure, BBC's information security team immediately disconnected Tidy from all corporate IT systems
3. Investigation Launch: Security teams analyzed logs, authentication attempts, and potential breach vectors
4. Threat Assessment: Determined scope of potential compromise and whether other employees were targeted

The Attacker's Reaction:

Following the MFA bombing, Syn sent an apologetic message claiming it was merely a "test" and insisting their offer remained available for "a few days." The message attempted to:

• Downplay the severity of the attack
• Maintain the relationship for future exploitation
• Suggest this was normal business practice
• Keep Tidy as a potential future target

When Tidy didn't respond for several days, the criminal deleted their Signal account and disappeared—a common tactic when an operation is exposed or deemed too risky to continue.

Post-Incident Measures:

• Tidy was reinstated with enhanced security protections
• Additional monitoring was implemented on his accounts
• BBC conducted organization-wide security awareness training
• The incident became a case study in insider threat detection

The attack was unsuccessful, but it provided valuable intelligence about Medusa's operations and the broader trend of insider recruitment by ransomware gangs.

Understanding Medusa: A Ransomware Empire

Origins and Evolution

Medusa ransomware first appeared in June 2021, initially operating as a "closed" operation where all development and activities were controlled by a single group. According to CheckPoint Research, the gang's administrators are believed to operate from Russia or one of its allied states, evidenced by:

• Russian-language communications on dark web forums
• Deliberate avoidance of targets in Russia and Commonwealth of Independent States (CIS) countries
• Activity patterns consistent with Eastern European cybercrime groups
• Use of Russian cybercrime infrastructure and payment channels

Evolution to Ransomware-as-a-Service (RaaS):

By 2023, Medusa had transitioned to a RaaS model, expanding operations while maintaining centralized control over critical functions. This hybrid approach involves:

Affiliate Recruitment: Medusa actively recruits affiliates and initial access brokers (IABs) through cybercriminal forums and marketplaces

Payment Structure: Affiliates receive between $100 and $1 million depending on target value and success, with opportunities for exclusive contracts

Centralized Negotiation: Despite using affiliates for attacks, Medusa developers maintain direct control over ransom negotiations, ensuring consistency and protecting operational security

Reach Out Managers: Dedicated personnel (like "Syn" in the BBC case) are assigned to proposition potential insiders, demonstrating organizational sophistication

This industrialized approach has proven extraordinarily effective, enabling Medusa to scale operations beyond what a single group could accomplish.

The Medusa Business Model

Medusa operates like a modern corporation, with specialized roles and defined processes:

1. Development Team:

• Creates and maintains the ransomware payload
• Develops evasion techniques to bypass security tools
• Updates malware to exploit new vulnerabilities
• Manages the leak site and extortion platform

2. Initial Access Brokers (IABs):

• Compromise target networks through various methods
• Sell access to Medusa affiliates
• May specialize in particular industries or attack vectors

3. Affiliates:

• Execute attacks using Medusa tools and infrastructure
• Deploy ransomware and exfiltrate data
• Report results to developers
• Receive percentage of ransom payments (typically 70-80%)

4. Reach Out Managers (like Syn):

• Identify potential insider threats
• Proposition current or former employees
• Negotiate terms and manage insider relationships
• Handle operational security for recruitment operations

5. Negotiators:

• Controlled centrally by Medusa developers
• Handle victim communications post-breach
• Apply pressure tactics to maximize ransom payments
• Manage public leak site listings

6. Money Laundering:

• Convert cryptocurrency ransoms to usable funds
• Distribute payments to affiliates and developers
• Maintain operational funding

This sophisticated organizational structure explains why Medusa has been so successful despite "relatively basic" technical attacks, according to CISA.

Medusa Ransomware: A Rising Threat in the Cybersecurity Landscape

In recent years, the cybersecurity world has witnessed the rise of a formidable threat: the Medusa ransomware group. Active since June 2021, Medusa has evolved from relative obscurity to a high-profile cybercriminal operation, targeting global corporate entities with demands for exorbitant ransoms. Operational Tactics and Targets Medusa’s modus operandi involves

Breached CompanyBreached Company

Attack Profile and Capabilities

By the Numbers (as of February 2025):

• 300+ Confirmed Victims: Organizations across critical infrastructure sectors
• Industries Targeted: Healthcare, education, legal, insurance, technology, manufacturing, government, emergency services
• Geographic Reach: Global operations with particular focus on United States, UK, Canada, Australia, and Western Europe
• Active Since: June 2021 (over 4 years of continuous operation)
• Attack Frequency: Symantec research shows attacks nearly doubled in January-February 2025 compared to 2024

Common Attack Vectors:

According to CISA's March 2025 advisory, Medusa actors typically gain initial access through:

1. Phishing Campaigns: Stealing credentials through social engineering
2. Vulnerability Exploitation: Particularly targeting:
   • CVE-2024-1709 (ScreenConnect remote access tool)
   • CVE-2023-48788 (Fortinet FortiClient)
   • Microsoft Exchange Server vulnerabilities
   • Unpatched internet-facing applications
3. Initial Access Broker Partnerships: Purchasing access from specialized criminals
4. Insider Recruitment: As demonstrated with the BBC case
5. Credential Stuffing: Using previously compromised credentials

Operational Techniques:

• Double Extortion: Encrypt data AND threaten to leak if ransom not paid
• Bring Your Own Vulnerable Driver (BYOVD): Deploy signed vulnerable drivers to disable security software
• KillAV Tools: Systematically disable endpoint protection
• Living-off-the-Land: Use legitimate system tools to evade detection
• Rapid Encryption: Manually shut down and encrypt virtual machines
• Data Exfiltration: Steal sensitive information before encryption

The Leak Site:

Medusa operates a dark web leak site that serves multiple purposes:

• Victim Listing: Organizations that don't pay are publicly named
• Data Preview: Stolen data samples are displayed to prove authenticity
• Purchase Option: Third parties can buy stolen data for additional revenue
• Pressure Tactic: Public exposure increases urgency for victims to pay
• Marketing: Demonstrates capability to potential affiliates and IABs

Notable past victims include:

• Minneapolis Public Schools (refused $1M ransom, 92GB of data leaked)
• Various cancer treatment centers
• British high schools
• Toyota (2023 high-profile attack)
• Multiple Fortune 500 companies (names withheld)

Why Insider Recruitment?

The BBC incident reveals a strategic evolution in Medusa's operations. While technical exploits remain effective, insider access offers several advantages:

Bypasses Technical Controls:

• No need to exploit vulnerabilities
• No alerts from perimeter security
• No suspicious network patterns
• Legitimate credentials provide "invisible" access

Reduces Attack Complexity:

• Insider knows network topology
• Pre-identified valuable targets
• Understands backup and recovery procedures
• Can disable security monitoring from inside

Improves Success Rate:

• Higher confidence in attack success
• Reduced risk of detection during reconnaissance
• Faster time from access to encryption
• Better understanding of ransom payment capacity

Cost-Effectiveness:

• 15-25% commission cheaper than purchasing access
• One-time payment vs. ongoing exploit development
• Reduces technical skill requirements
• Enables attacks on hardened targets

Psychological Impact:

• Insider betrayal is more damaging to organizational trust
• Creates paranoia about other potential insiders
• Demonstrates that no security is foolproof
• Undermines confidence in security investments

The Joe Tidy case proves that Medusa views insider recruitment as a core operational strategy, not an opportunistic tactic.

The Rise of Insider Recruitment as a Ransomware Strategy

A Dangerous Trend

The BBC incident is not isolated. Ransomware operations increasingly target insiders through systematic recruitment efforts:

LockBit:

• Has publicly advertised for insider assistance
• Posts on cybercrime forums seeking employees of specific companies
• Offers substantial commissions for access provision
• Created dedicated channels for insider communication

BlackCat/ALPHV:

• Known to contact employees directly via LinkedIn
• Targets IT administrators and system administrators
• Offers cryptocurrency payments and anonymity
• Successfully compromised several organizations through insiders

Clop:

• Has referenced insider assistance in past breaches
• Combines technical exploits with social engineering
• Targets supply chain partners with access to multiple organizations
• As recently covered in our analysis of the Washington Post breach

The Economics Are Compelling:

For attackers, the math is simple:

Traditional Attack:

• Cost: $50,000-$500,000 (vulnerability research, exploit development, IAB access)
• Success Rate: 20-40% (security controls may block attack)
• Time: Weeks to months from initial access to encryption
• Detection Risk: High (multiple security layers must be evaded)

Insider-Enabled Attack:

• Cost: 15-25% of ransom (paid only on success)
• Success Rate: 60-80% (legitimate access bypasses controls)
• Time: Days from insider cooperation to encryption
• Detection Risk: Low (appears as normal user activity)

From a criminal enterprise perspective, insider recruitment is the logical evolution of ransomware operations.

Who Gets Targeted?

Based on public reports and the BBC case, attackers target individuals with specific characteristics:

Profile of Attractive Insider Targets:

1. IT and Security Personnel:

• System administrators
• Network engineers
• Security operations center analysts
• Database administrators
• Why: Administrative access, deep system knowledge, ability to disable protections

2. Finance and Accounting:

• CFOs and finance directors
• Accounts payable staff
• Treasury department personnel
• Why: Understanding of payment processes, financial access, knowledge of organization's ability to pay

3. Executive Assistants and Support Staff:

• C-suite administrative assistants
• Executive office personnel
• Board support staff
• Why: Access to sensitive communications, calendar visibility, relationship with decision-makers

4. Remote and Contract Workers:

• External contractors with VPN access
• Remote employees in different countries
• Temporary or seasonal staff
• Why: Less loyalty to organization, potentially weaker security awareness, often overlooked in monitoring

5. Journalists and Public Figures (like Joe Tidy):

• Technology reporters covering cybersecurity
• Employees with high public profiles
• Industry analysts and researchers
• Why: Assumed technical knowledge, potentially sympathetic to "hackers," publicity value if successful

6. Disgruntled or Vulnerable Employees:

• Recently passed over for promotion
• Facing financial difficulties
• Preparing to leave organization
• History of policy violations
• Why: Motivation to harm employer, financial need, reduced loyalty

Common Recruitment Vectors:

• Direct Messaging: Signal, WhatsApp, Telegram with encrypted communication
• Social Media: LinkedIn, Twitter, professional forums
• Email: Personal email addresses obtained from data breaches
• Phone: Voice calls claiming to be recruiters or business opportunities
• In-Person: At industry conferences, professional events, or social gatherings
• Anonymous Forums: Job boards, cryptocurrency communities, gambling sites

The systematic nature of these approaches suggests dedicated teams within ransomware organizations focused exclusively on insider recruitment.

MFA Fatigue Attacks: When Authentication Becomes a Weapon

Understanding MFA Bombing

The MFA fatigue attack used against Joe Tidy represents one of the most effective techniques for bypassing multi-factor authentication without technical exploitation. Also known as MFA bombing, MFA spamming, or push fatigue attacks, this tactic exploits human psychology rather than system vulnerabilities.

How MFA Fatigue Works:

Phase 1: Credential Acquisition

• Attackers obtain username and password through:
  • Phishing campaigns
  • Credential stuffing from previous breaches
  • Purchase from dark web marketplaces
  • Infostealer malware (as seen in the Nikkei breach)
  • Social engineering

Phase 2: Login Attempts

• Using stolen credentials, attackers attempt to log in
• Each attempt triggers an MFA push notification to victim's registered device
• Unlike traditional attacks, attackers don't try to bypass MFA—they try to make the user approve it

Phase 3: The Bombardment

• Attackers repeatedly attempt login, triggering constant MFA prompts
• Frequency varies by strategy:
  • Subtle approach: 2-3 requests spread over hours
  • Aggressive approach: Dozens of requests in minutes
• Each prompt demands user action: Approve or Deny

Phase 4: Psychological Exploitation

• Users experience:
  • Confusion: "Is this a system error?"
  • Frustration: "How do I make this stop?"
  • Anxiety: "Did I trigger this somehow?"
  • Fatigue: "I'll just approve it to see what happens"
  • Intimidation: "Someone is clearly trying to access my account"

Phase 5: The Breakthrough

• User accidentally or intentionally approves a request
• Attacker gains authenticated access to the account
• From insider perspective, login appears completely legitimate
• Security logs show: correct password + successful MFA = approved access

Phase 6: Post-Access

• Attacker acts quickly before victim realizes mistake
• Registers additional MFA devices for persistence
• Changes security settings
• Exfiltrates data or deploys malware
• May remain undetected for days or weeks

Notable MFA Fatigue Attack Cases

Uber (September 2022):

• Lapsus$ hacking group targeted external contractor
• Bombarded contractor with MFA requests over several hours
• Contacted victim via WhatsApp pretending to be IT support
• Convinced contractor that approving MFA would "stop the alerts"
• Gained complete access to Uber's internal systems
• Breached sensitive employee and customer data
• Caused massive reputational damage

Cisco (August 2022):

• Yanluowang ransomware operators stole employee credentials
• Used voice phishing (vishing) to convince victim they were IT support
• Launched MFA bombing alongside social engineering
• Employee approved request thinking it was legitimate
• Attackers gained VPN access to internal network
• Cisco detected breach before major damage occurred

University of Queensland, Australia (2024):

• Staff member received unexpected MFA notification
• Without suspicion, approved the request
• Attacker used access to send phishing emails
• Emails directed to fake Microsoft sign-in page
• Credentials stolen from multiple staff and students
• Demonstrated cascading impact of single approval

Microsoft Midnight Blizzard Campaign (2024-2025):

• Nation-state threat actor targeting service desks
• Sophisticated MFA fatigue campaigns against multiple organizations
• Combined with social engineering phone calls
• Successfully compromised several enterprise accounts
• Demonstrated state-sponsored adoption of tactic

Why MFA Fatigue Works

Psychological Factors:

Decision Fatigue:

• Humans have limited capacity for decision-making
• Each MFA prompt requires cognitive effort
• After multiple denials, resistance decreases
• "Approve" becomes the path of least resistance

Habituation:

• Users become desensitized to repeated alerts
• "This must be a glitch I need to fix"
• Normal security skepticism erodes with repetition

Social Engineering Enhancement:

• When combined with phone calls or messages
• Attacker poses as IT support
• "We're seeing the alerts too, just approve one to reset the system"
• Adds layer of legitimacy to requests

Time Pressure:

• Attacks often occur during:
  • Late night (victim wants to sleep)
  • Important meetings (victim wants alerts to stop)
  • Vacations (victim wants to resolve quickly)
  • Deadline pressure (victim can't afford disruption)

Technical Factors:

MFA Design Weaknesses:

• Simple "Approve/Deny" buttons are too easy to tap accidentally
• No context about login attempt (location, device, IP address)
• No rate limiting on authentication requests
• No automatic blocking after multiple denials
• Push notifications don't provide enough information

User Interface Problems:

• Small buttons on mobile devices
• Similar appearance to legitimate system messages
• No clear indication of threat severity
• Approve button sometimes defaults or is more prominent

Organizational Factors:

• Insufficient security awareness training on MFA fatigue
• No clear procedures for handling unexpected MFA requests
• Inadequate incident reporting mechanisms
• "Just make it work" culture over security
• Help desk may not recognize MFA bombing as attack

SimonMed Imaging Data Breach: Medusa Ransomware Strikes Again, 1.2 Million Patients Exposed

October 2025 — SimonMed Imaging, one of the largest outpatient medical imaging providers in the United States, has confirmed that a January 2025 ransomware attack by the Medusa group compromised the protected health information of 1,275,669 individuals, marking one of the most significant healthcare data breaches disclosed this year.

Breached CompanyBreached Company

Defending Against MFA Fatigue

Immediate Protective Measures:

1. Rate Limiting:

• Limit MFA requests to 3-5 within 5-10 minutes
• Automatically block account after limit exceeded
• Require manual admin intervention to unlock
• Alert security team of repeated failures

2. Number Matching:

• Replace simple "Approve/Deny" with number matching
• Display random number on login screen
• User must enter matching number in authenticator app
• Prevents accidental approvals
• Makes automation more difficult

3. Contextual Information:

• Show login location, device type, IP address in MFA prompt
• Display "Was this you?" with clear context
• Include timestamp of attempt
• Highlight unusual characteristics (new location, different device)

4. Geolocation Restrictions:

• Require additional verification for logins from:
  • New countries or regions
  • Known VPN or proxy locations
  • Impossible travel scenarios
• Use allowlists for approved locations

5. Hardware Security Keys:

• Deploy FIDO2/WebAuthn hardware tokens for high-risk users
• Require physical device presence
• Eliminate push-based MFA for privileged accounts
• Phishing-resistant by design

Long-Term Solutions:

1. Security Awareness Training:

• Educate employees specifically about MFA fatigue
• Practice: "If you didn't request login, always deny"
• Teach reporting procedures for MFA bombing
• Remove stigma from security incident reporting
• Regular phishing and MFA simulation exercises

2. Behavioral Analytics:

• Deploy UEBA (User and Entity Behavior Analytics)
• Detect unusual authentication patterns
• Alert on multiple MFA denials
• Identify logins following MFA bombing
• Correlate with other suspicious activity

3. Conditional Access Policies:

• Require additional verification after multiple MFA failures
• Implement progressive authentication (more factors as risk increases)
• Block access from unknown devices/locations until verified
• Use device compliance checks

4. Incident Response Plans:

• Specific playbook for MFA fatigue attacks
• Clear escalation procedures
• Automated account lockdown capabilities
• Communication templates for affected users

5. Alternative MFA Methods:

• Move away from push-notification-only MFA
• Implement multiple available methods:
  • Hardware tokens
  • Authenticator app codes (TOTP)
  • SMS as backup only (not primary)
  • Biometric authentication
• Allow users to choose most secure option

The Joe Tidy case demonstrates that even cybersecurity professionals can be targeted with MFA fatigue—making comprehensive defenses essential for all organizations.

Lessons for Organizations: The Insider Threat Imperative

Why This Matters Beyond the BBC

The Medusa gang's attempt to recruit Joe Tidy offers critical lessons that extend far beyond one media organization:

1. No Organization Is Immune

The BBC employs sophisticated security controls and has dedicated information security teams. If a high-profile media organization with strong security awareness can be targeted for insider recruitment, any organization can.

Key takeaway: Assume your employees are being targeted, because they probably are.

2. Technical Controls Aren't Enough

Firewalls, EDR, SIEM, and other security tools are essential but insufficient. The Medusa approach bypassed all technical controls by targeting a human with legitimate access.

Key takeaway: Security must address human vulnerabilities as vigorously as technical ones.

3. Cybersecurity Awareness Is Defensive

Joe Tidy's expertise in cybersecurity enabled him to:

• Immediately recognize the recruitment attempt
• Understand the threat implications
• Know proper reporting procedures
• Engage safely without compromising security
• Provide valuable intelligence to his organization

Key takeaway: Security awareness training isn't compliance theater—it's an essential defense layer.

4. Reporting Culture Saves Organizations

Tidy's immediate escalation to the security team prevented a potentially catastrophic breach. Organizations must create cultures where:

• Employees feel safe reporting suspicious contacts
• No punishment for being targeted
• Fast response to reported threats
• Recognition for security-conscious behavior

Key takeaway: The best detection system is an employee who reports suspicious activity.

Auckland Transport Hit by Medusa Ransomware: What You Need to Know

Introduction Auckland Transport, the public transport agency in New Zealand, recently fell victim to a “cyber incident” that severely disrupted its ticketing systems. The Medusa ransomware group is suspected to be behind the attack. While Auckland Transport is gradually restoring its services, the incident has led to significant delays and

Breached CompanyBreached Company

5. MFA Can Be Weaponized

Multi-factor authentication remains critical, but push-based MFA has exploitable weaknesses. The MFA bombing attack on Tidy demonstrates that:

• Users can be psychologically manipulated into approving requests
• Simple approve/deny mechanisms are too easy to exploit
• Rate limiting and contextual information are essential
• Alternative MFA methods provide better security

Key takeaway: Implement MFA thoughtfully, with defenses against fatigue attacks.

Building Insider Threat Programs

Comprehensive Defense Strategy:

1. Prevention (Stop Recruitment Before It Starts)

Security Awareness Training:

• Specific modules on insider threat tactics
• Real-world case studies (like the BBC incident)
• Recognition of recruitment approaches
• Social engineering defense techniques
• Quarterly refresher training

Financial Wellness Programs:

• Assist employees facing financial stress
• Reduce vulnerability to monetary offers
• Identify at-risk employees early
• Provide legitimate alternatives

Workplace Culture:

• Foster engagement and loyalty
• Address grievances promptly
• Recognize and reward good work
• Create sense of shared mission

Background Checks:

• Ongoing verification, not just at hiring
• Monitor for financial distress indicators
• Track security policy violations
• Assess risk levels of different roles

2. Detection (Identify Insider Threats Early)

Behavioral Analytics:

• Unusual data access patterns
• After-hours activity by typically 9-5 employees
• Large file transfers or downloads
• Access to unrelated systems or data
• VPN connections from unusual locations

Communication Monitoring:

• Encrypted messaging app installation on corporate devices
• Unusual email patterns (large attachments, personal accounts)
• Communication with known malicious domains
• Signs of external coordination

Peer Reporting Mechanisms:

• Anonymous reporting hotlines
• Clear procedures without retaliation
• Regular reminders that reporting is valued
• Swift investigation of reports

Technical Controls:

• Data Loss Prevention (DLP) tools
• User and Entity Behavior Analytics (UEBA)
• Privileged Access Management (PAM)
• Network traffic analysis
• Endpoint detection and response

3. Response (Act Swiftly When Threats Emerge)

Incident Response Plan:

• Specific playbook for insider threats
• Designated response team
• Legal coordination
• HR involvement procedures
• Communication protocols

Immediate Actions:

• Suspend suspect access without alerting
• Preserve evidence for investigation
• Review access logs and data exposure
• Assess damage and data exfiltration
• Coordinate with law enforcement if appropriate

Investigation Procedures:

• Forensic analysis of suspect activity
• Interview relevant personnel
• Document timeline and access
• Identify compromised systems/data
• Prepare legal case if criminal

Remediation:

• Revoke all access immediately upon confirmation
• Change compromised credentials
• Review and strengthen affected controls
• Communicate with affected parties
• Document lessons learned

4. Recovery (Restore Trust and Improve Defenses)

Post-Incident Actions:

• Organization-wide security review
• Enhanced monitoring of high-risk roles
• Update security policies based on lessons learned
• Additional training on identified weaknesses
• Strengthen insider threat program

Communication Strategy:

• Transparent with employees (as appropriate)
• Demonstrate commitment to security
• Show consequences of insider threats
• Reinforce reporting culture
• Rebuild trust through action

Risk Assessment Framework

Evaluate Insider Risk Levels:

High-Risk Roles:

• System administrators
• Database administrators
• Security personnel
• Finance/accounting with payment authority
• Executives with broad access
• Remote workers in high-turnover positions

Medium-Risk Roles:

• IT support staff
• HR personnel with sensitive data access
• Sales with customer data access
• Supply chain/vendor management
• Facilities with physical access

Lower-Risk Roles:

• Entry-level positions
• Highly supervised roles
• Limited system access
• No sensitive data exposure

Risk Factors to Monitor:

Financial:

• Unexplained wealth or financial stress
• Gambling problems
• Significant debt
• Lifestyle not matching salary

Behavioral:

• Workplace conflicts or grievances
• Policy violations
• Reduced performance
• Isolation from colleagues
• Excessive criticism of organization

Technical:

• Unusual hours or access patterns
• Attempted privilege escalation
• Policy bypass attempts
• Excessive data access
• Unexplained software installations

Legal and Ethical Considerations

Balancing Security and Privacy:

Organizations must navigate:

• Employee privacy rights vs. security needs
• Lawful monitoring vs. surveillance concerns
• Retention of investigation evidence
• Transparent communication vs. operational security
• Cultural sensitivity across global operations

Best Practices:

• Clear policies on monitoring and expectations
• Legal review of insider threat programs
• Regular privacy impact assessments
• Employee notification of monitoring (where legally required)
• Limits on data retention and access

The Broader Implications

Media Organizations as Targets

The BBC incident highlights unique risks for media organizations:

Why Journalists Are Attractive Targets:

1. Source Protection Concerns:

• Compromise could expose confidential sources
• Devastating to journalistic integrity
• Chilling effect on whistleblowers
• Legal and ethical obligations at risk

2. Editorial Control:

• Access to unpublished investigations
• Knowledge of planned stories
• Ability to manipulate or suppress reporting
• Competitive intelligence for other media

3. Public Trust Impact:

• Media organizations depend on credibility
• Security breaches undermine public confidence
• Sensational nature amplifies reputational damage
• Recovery is difficult in public eye

4. Political Implications:

• State-sponsored actors may target media
• Influence operations through compromised outlets
• Surveillance of investigative reporters
• Election interference capabilities

Recommendations for Media Organizations:

• Separate systems for source communications (air-gapped, encrypted)
• Enhanced vetting for employees with source access
• Whistleblower protection protocols
• Regular security audits by trusted third parties
• Incident response plans specific to journalism ethics
• Legal counsel on security vs. First Amendment balance

Ransomware's Evolution

The BBC case represents a concerning evolution in ransomware tactics:

From Technical Exploitation to Human Exploitation:

Traditional Ransomware (2015-2021):

• Mass phishing campaigns
• Exploit kits and vulnerabilities
• Automated encryption
• Spray-and-pray approach
• Low ransom demands ($500-$5,000)

Targeted Ransomware (2020-2023):

• Initial access broker partnerships
• Reconnaissance and planning
• Double extortion (encrypt + leak)
• Negotiated ransoms (millions)
• Specific industry targeting

Insider-Enabled Ransomware (2023-Present):

• Systematic insider recruitment
• Dedicated outreach personnel
• Financial incentives and social engineering
• Bypass technical controls entirely
• Highest success rates and ransoms

This evolution suggests ransomware will continue adapting to defensive improvements, with human vulnerabilities becoming the primary attack surface.

Regulatory Considerations

Current Landscape:

While no specific regulations mandate insider threat programs, several frameworks address the concern:

United States:

• NIST Cybersecurity Framework includes insider threat guidance
• CISA provides insider threat mitigation resources
• Critical infrastructure sectors have specific requirements
• No federal law specifically mandating insider threat programs

European Union:

• GDPR requires appropriate security measures
• NIS2 Directive mandates risk management
• Insider threats fall under "organizational measures"
• Privacy concerns limit monitoring capabilities

Industry-Specific:

• Financial services (GLBA, SOX) require controls
• Healthcare (HIPAA) mandates workforce security
• Defense contractors (DFARS, CMMC) have specific requirements
• Payment cards (PCI DSS) address insider risks

Future Directions:

Expect increased regulatory focus on:

• Mandatory insider threat programs for critical infrastructure
• Requirements for employee security awareness training
• Incident reporting for insider threat attempts
• Whistleblower protections for those reporting recruitment
• International cooperation on ransomware prosecution

Insider Threat Matrix - Comprehensive Cybersecurity Framework

Interactive insider threat detection and prevention framework. Assess, monitor, and mitigate insider security risks with our comprehensive cybersecurity tool.

Insider Threat MatrixCISO Marketplace

Actionable Recommendations

For Employees

If You're Contacted by Criminals:

1. Do Not Engage Beyond Initial Recognition
   • Unless you're a security professional coordinating with your team
   • Any response may be seen as interest
   • Immediate reporting is the only safe response
2. Report Immediately
   • Contact your security team or CISO
   • If no security team, notify your manager
   • Use established incident reporting procedures
   • Document everything (screenshots, messages, caller info)
3. Do Not Feel Ashamed
   • Being targeted is not your fault
   • Organizations value employees who report threats
   • You're helping protect your colleagues
   • Reporting prevents actual breaches
4. Preserve Evidence
   • Take screenshots of messages
   • Record details of phone calls
   • Note dates, times, and account names
   • Don't delete anything until security team advises
5. Review Your Security
   • Change passwords as precaution
   • Enable MFA if not already active
   • Check for unauthorized account access
   • Monitor for unusual activity

If You Experience MFA Bombing:

1. Do Not Approve Any Requests
   • Even if they seem legitimate
   • Even if it's inconvenient
   • Even if you want them to stop
2. Report Immediately
   • While attack is ongoing if possible
   • Contact security team or IT support
   • Explain you're receiving constant MFA requests
   • Follow their guidance for account security
3. Change Your Password
   • Immediately after reporting
   • Use strong, unique password
   • Don't reuse from other accounts
   • Consider password manager
4. Document the Attack
   • How many requests received
   • Timeframe of attack
   • Any unusual calls or messages
   • Whether any requests were approved

For Security Teams

Immediate Actions:

1. Implement MFA Fatigue Defenses
   • Rate limit authentication requests (3-5 per 10 minutes)
   • Enable number matching for push notifications
   • Add contextual information to MFA prompts
   • Deploy hardware tokens for high-risk users
   • Monitor for repeated MFA denials
2. Enhance Insider Threat Detection
   • Deploy UEBA tools
   • Establish baseline for normal behavior
   • Alert on anomalies (unusual access, after-hours activity)
   • Monitor encrypted messaging app installations
   • Review privileged account activity
3. Security Awareness Campaign
   • Specific training on insider recruitment
   • Case study: Joe Tidy / BBC incident
   • Role-playing exercises
   • Reporting procedures emphasis
   • Quarterly refreshers
4. Incident Response Plan
   • Dedicated insider threat playbook
   • Clear escalation procedures
   • Legal and HR coordination
   • Evidence preservation protocols
   • Communication templates

Strategic Initiatives:

1. Insider Threat Program Development
   • Designate program owner
   • Cross-functional team (Security, HR, Legal, IT)
   • Risk assessment of roles
   • Monitoring and detection capabilities
   • Regular program reviews
2. Access Control Improvements
   • Principle of least privilege
   • Regular access reviews
   • Privileged Access Management (PAM)
   • Just-in-time access provisioning
   • Automated de-provisioning
3. Employee Support Services
   • Financial wellness programs
   • Employee assistance programs
   • Confidential reporting mechanisms
   • Recognition for security-conscious behavior
   • Culture of security awareness

For Executives and Board Members

Governance Priorities:

1. Insider Threat is Business Risk
   • Add to enterprise risk register
   • Regular board-level reporting
   • Investment in prevention and detection
   • Metrics on program effectiveness
   • Integration with overall security strategy
2. Create Reporting Culture
   • Tone from the top matters
   • No retaliation for reporting
   • Celebrate employees who report threats
   • Make reporting easy and accessible
   • Swift response demonstrates commitment
3. Resource Allocation
   • Insider threat programs require investment
   • UEBA tools, PAM solutions, training
   • Dedicated personnel
   • Legal and investigation capabilities
   • Balance security with employee privacy
4. Understand the Threat
   • Ransomware operations are sophisticated businesses
   • Insider recruitment is systematic, not opportunistic
   • Financial motivations make it effective
   • No organization is immune
   • Prevention is cheaper than response

Conclusion: The Human Element in Cybersecurity

Joe Tidy's experience with the Medusa ransomware gang provides a rare, unvarnished look at the reality of insider threat recruitment in 2025. The incident exposes several uncomfortable truths:

1. Ransomware Operations Are Sophisticated Businesses

Gone are the days of script kiddies deploying ransomware for small payoffs. Operations like Medusa function as organized criminal enterprises with:

• Specialized roles and responsibilities
• Dedicated recruitment teams
• Substantial financial resources
• Professional negotiation tactics
• Long-term strategic planning

2. Your Employees Are Being Targeted

The systematic nature of insider recruitment means organizations should assume:

• Criminal groups are actively searching for vulnerable employees
• Financial stress makes recruitment more effective
• Technical controls can't prevent insider cooperation
• Detection depends on employee reporting
• Prevention requires comprehensive programs

3. The Weakest Link Is Human

Despite billions spent on security technology:

• A single insider can bypass all controls
• Social engineering remains highly effective
• Financial motivation overcomes loyalty for some
• MFA can be defeated through psychology
• Human judgment is the last line of defense

4. Security Awareness Is Not Optional

Tidy's cybersecurity expertise enabled him to:

• Recognize the threat immediately
• Engage safely for intelligence gathering
• Report through proper channels
• Prevent a catastrophic breach
• Document the incident for public awareness

Organizations must invest in security awareness with the same rigor as technical controls.

5. Reporting Culture Determines Outcomes

The difference between a prevented breach and a catastrophic incident often comes down to whether employees:

• Feel safe reporting suspicious contacts
• Know how to report
• Trust the organization will respond appropriately
• Believe their report matters
• Experience no negative consequences

Building this culture requires sustained effort from leadership.

The BBC Learned and Shared

To Tidy and the BBC's credit, they:

• Responded swiftly to the threat
• Protected their journalist and systems
• Shared the incident publicly
• Contributed to industry awareness
• Provided a blueprint for others

This transparency serves the public interest and helps other organizations defend against similar attacks.

Looking Forward

As ransomware operations continue evolving, expect:

• Increased insider recruitment efforts
• More sophisticated social engineering
• Higher financial offers for access
• Targeting of remote and contract workers
• Nation-state adoption of these tactics

Organizations must adapt defenses accordingly, recognizing that cybersecurity is fundamentally about people, not just technology.

The message Syn sent to Joe Tidy—"You'll never need to work again"—reveals the scale of criminal operations targeting our institutions. The fact that Tidy immediately recognized it as a threat and reported it demonstrates the power of security awareness.

Every organization should ask: If our employees received similar messages, would they recognize the threat and report it? The answer to that question may determine whether your organization becomes the next victim or another successful defense.

Related Reading from Breached.Company

• Washington Post Becomes Latest Victim in Massive Oracle E-Business Suite Breach Campaign
• Nikkei Suffers Slack Breach Through Infostealer Malware: 17,000 Users Exposed
• The Most Common Methods Behind Major Data Breaches
• US State Breach Notification Requirements Tracker

About the Author: This analysis draws from Joe Tidy's firsthand account, CISA advisories on Medusa ransomware, and extensive research on insider threats and MFA fatigue attacks. It is provided for cybersecurity professionals and organizational leaders seeking to understand and defend against insider recruitment tactics.

Sources: BBC News, CISA Advisory AA25-071A, FBI Internet Crime Complaint Center, multiple cybersecurity vendor analyses

Disclosure: Organizations concerned about insider threats should consider comprehensive insider threat programs, employee awareness training, and enhanced MFA protocols. Consult with cybersecurity professionals and legal counsel when developing these programs.