Federal officials are warning consumers against a type of cyberattack that’s been on the rise. It’s called Medusa, a ransomware program that uses tactics like phishing to infect a target’s system and encrypt their data, which hackers then threaten to publicly release unless a ransom is paid.

Medusa is just one example of how hackers are evolving their strategies at a time when federal cybersecurity resources are being cut by the Donald Trump administration.

Marketplace’s Meghan McCarty Carino spoke with Lesley Carhart, director of incident response for North America at cybersecurity firm Dragos, to learn more about the use of embarrassment as a weapon and the impact of funding cuts on digital safety.

The following is an edited transcript of their conversation.

Lesley Carhart: Unfortunately, cyberattackers have found that ransomware is an incredibly effective tool over the last 10 years. Of course, it’s got multiple psychological and technical elements to it. So when your computer gets ransomed, or your organization’s computers get ransomed, your sensitive, personal, important files are being encrypted away so you can’t access them, and that’s incredibly damaging to organizational operations, and it’s also psychological to individuals and organizations because if it’s your own personal computer, all of a sudden you can’t access your own files or your own photos. And these groups have learned that if they take those things away from organizations or from individual people and threaten to get rid of them forever, threaten to expose them to the public, that’s an incredibly effective tactic to make money.

Meghan McCarty Carino: Right, it sounds like with the Medusa attacks specifically, there is a very prominent kind of public-facing angle. There’s a site where the victims are posted, and so there’s kind of a double extortion going on.

Carhart: Yeah, we see a lot of the double and triple extortion now. So these criminal organizations have figured out that people sometimes have backups now, people are getting better at being aware that ransomware is a threat. So especially companies that have money have started backing up their files really well, especially off their network. So if there is a ransom, they can restore them. The tactic to evade that by these criminal groups is, well, now we’re going to really embarrass these organizations. While we’re at it, we’re going to steal anything that looks sensitive, embarrassing, proprietary, and then we’re going to announce to the world not only that we’ve effectively ransomed this company or this person or this organization — and that’s embarrassing from a [public relations] standpoint — but also, if there’s embarrassing files, content, we will threaten to release that to the wrong people as well.

McCarty Carino: Tell me more about who is getting targeted in these attacks. You said cybercriminals have gotten a bit more sophisticated in their targeting.

Carhart: So there’s generally two elements that these organizations are looking for in their victims. Of course, there’s some random element that used to be more common in the past, but now they are thinking about who is most vulnerable and who is likely to pay out. That’s a natural evolution in how they effectively make a lot of money as quickly as possible in a very organized way. And so we see more targeting of hospitals and critical infrastructure, less-resourced manufacturing organizations, whoever they think is going to be very noticeable as perhaps a household name or something essential to critical infrastructure and also is probably less defended from a cybersecurity standpoint.

McCarty Carino: I want to talk about the official government response to all this. These warnings came from the FBI and CISA, the Cybersecurity and Infrastructure Security Agency. What do we know about how that agency has been affected by the Trump administration’s efforts to kind of shrink and remake the federal government?

Carhart: CISA has been a very, very important element to defending against both cybercrime and state adversaries in the United States of America, and also to our allies in allied countries. It has provided resources for less-resourced, critical infrastructure organizations and also a lot of information about these threats in a timely manner. That’s why they were developed, and there’s certainly been staff cuts and organizational cuts, as well as other, similar cyberdefense organizations in the United States. What the fallout of that is going to be, we don’t know yet. It’s still very early days. But they were already a lean organization. They were already operating with minimal numbers of specialists to do this type of defense work against these massive criminal organizations. So I can’t say that I’m encouraged or hopeful about the fact that they’ve lost a number of their top talent.

McCarty Carino: Right, I think they’ve lost about 130 probationary workers. They’re called probationary because they were recently hired, and last week, CISA confirmed a cut to funding for something called the Multi-State Information Sharing and Analysis Center. Can you explain what that does?

Carhart: Right, so ISACs are information-sharing groups. There’s ISACs for numerous different industries in the United States, and what they were created to do is create open channels to share information about cyberthreats in those verticals. And the challenge that they’re trying to address is the fact that a lot of organizations don’t talk to one another. They don’t share information, especially competing organizations, the organizations that don’t have good relationships. And when these adversaries, criminal and state adversaries, target somebody, they usually target an entire vertical. So let’s look at, like, an industry, like say, there’s an automotive ISAC, and they’re dealing with car manufacturers being attacked. Those companies don’t normally talk to one another, but we create these ISACs with nondisclosure agreements, and that enables these organizations to easily and quickly share information about who’s attacking them and how they’re attacking so that the other peers in that same space can also defend against the same adversaries. Now, ostensibly, there are other ways for municipal governments to share this information. But again, this was a very important tool, and we’re going to have to wait and see what the fallout of it being defunded, removed, etc., is on municipal organizations.

McCarty Carino: Where does all of this leave consumers? How can we kind of protect ourselves in a world where it seems like we are increasingly connected to potentially vulnerable systems?

Carhart: We have to be aware of what’s going on, and that’s challenging, but we’ve always had to have situational awareness about crime — when we travel, when we stay in a hotel, when we’re in a new country, when we’re walking home alone at night, we have to be aware of our threat model and the threats that we face, and that’s true in the digital world too. Personally, I really recommend, use a password manager, a reputable one, to use unique and strong passwords across all of your web presence. I also really recommend that you turn on multifactor authentication everywhere you can. That means that little code that you get to log in on top of your password. That really is a deterrent that slows down adversaries. And again, we talked about these well-resourced criminal organizations. If you deter them, if you make their lives harder, sometimes they’ll move on to a harder target.

More on this

Back to the issue of staffing for CISA. We noted the agency has lost more than 100 workers in the last couple of months. Sources inside the agency told TechCrunch that the layoffs included workers on CISA’s Red Team, which simulates real-world cyberattacks so the agency can strengthen an organization’s defenses. It also lost staff involved in continuous threat monitoring and incident response.

Well, now the agency is trying to bring them back.

A District Court judge last week imposed a temporary restraining order that requires the Trump administration to reinstate probationary workers who were let go from 18 federal agencies, including CISA.

But apparently the government doesn’t have contact information for all of them.

An advisory on CISA’s website says the agency is making every effort to contact affected individuals and anyone who has not been contacted should email CISA to be reinstated.