The operators behind the Medusa ransomware have reported nearly 400 victims since its emergence in January 2023. Notably, the financially motivated attacks have experienced a 42% increase between 2023 and 2024.
In the first two months of 2025, the group has reported over 40 attacks, as stated in a report by the Symantec Threat Hunter Team, which tracks the cluster under the name Spearwing.
“Similar to most ransomware operators, Spearwing and its affiliates conduct double extortion attacks. They steal victims’ data before encrypting networks to increase pressure on victims to pay a ransom,” Symantec noted.
While other ransomware-as-a-service (RaaS) players, such as RansomHub (also known as Greenbottle and Cyclops), Play (also known as Balloonfly), and Qilin (also known as Agenda, Stinkbug, and Water Galura), have benefited from the disruptions of LockBit and BlackCat, the increase in Medusa infections suggests that the threat actor may be attempting to fill the gap left by the two prolific extortionists.
This development occurs as the ransomware landscape remains in a state of flux, with the emergence of new RaaS operations such as Anubis, CipherLocker, Core, Dange, LCRYX, Loches, Vgod, and Xelera, all of which have been seen in the wild in recent months.
Medusa ransomware has a history of demanding ransoms ranging from $100,000 to $15 million from healthcare providers and non-profits, as well as targeting financial and government organizations.
The attack chains launched by the ransomware syndicate typically involve the exploitation of known security vulnerabilities in public-facing applications, primarily Microsoft Exchange Server, to gain initial access. Additionally, it is suspected that the threat actors may be utilizing initial access brokers to breach networks of interest.
Upon gaining a successful foothold, the hackers drop remote management and monitoring (RMM) software such as SimpleHelp, AnyDesk, or MeshAgent for persistent access. They also employ the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate antivirus processes using KillAV. It’s worth noting that KillAV has been previously used in BlackCat ransomware attacks.
“The use of the legitimate RMM software PDQ Deploy is another characteristic of Medusa ransomware attacks,” Symantec stated. “It is typically used by the attackers to drop other tools and files, as well as to move laterally across the victim network.”
Some of the other tools used during a Medusa ransomware attack include Navicat for accessing and running database queries, RoboCopy, and Rclone for data exfiltration.
“Similar to most targeted ransomware groups, Spearwing tends to attack large organizations across various sectors,” Symantec said. “Ransomware groups are generally driven by profit, rather than ideological or moral considerations.”
