The threat actors behind the Medusa ransomware have claimed nearly 400 victims since it first emerged in January 2023, with the financially motivated attacks witnessing a 42% increase between 2023 and 2024.
In the first two months of 2025 alone, the group has claimed over 40 attacks, according to data from the Symantec Threat Hunter Team said in a report shared with The Hacker News. The cybersecurity company is tracking the cluster under the name Spearwing.
“Like the majority of ransomware operators, Spearwing and its affiliates carry out double extortion attacks, stealing victims’ data before encrypting networks in order to increase the pressure on victims to pay a ransom,” Symantec noted.
“If victims refuse to pay, the group threatens to publish the stolen data on their data leaks site.”
While other ransomware-as-a-service (RaaS) players like RansomHub (aka Greenbottle and Cyclops), Play (aka Balloonfly), and Qilin (aka Agenda, Stinkbug, and Water Galura) have benefited from the disruptions of LockBit and BlackCat, the spike in Medusa infections raises the possibility that the threat actor could also be rushing in to fill the gap left by the two prolific extortionists.
The development comes as the ransomware landscape continues to be in a state of flux, with a steady stream of new RaaS operations, such as Anubis, CipherLocker, Core, Dange, LCRYX, Loches, Vgod, and Xelera, emerging in the wild in recent months.
Medusa has a track record of demanding ransoms anywhere between $100,000 up to $15 million from healthcare providers and non-profits, as well as targeting financial and government organizations.
Attack chains mounted by the ransomware syndicate involve the exploitation of known security flaws in public-facing applications, mainly Microsoft Exchange Server, to obtain initial access. It’s also suspected that the threat actors are likely using initial access brokers for breaching networks of interest.
Once gaining a successful foothold, the hackers drop use remote management and monitoring (RMM) software such as SimpleHelp, AnyDesk, or MeshAgent for persistent access, and employ the tried-and-tested Bring Your Own Vulnerable Driver (BYOVD) technique to terminate antivirus processes using KillAV. It’s worth pointing out that KillAV has been previously put to use in BlackCat ransomware attacks.
“The use of the legitimate RMM software PDQ Deploy is another hallmark of Medusa ransomware attacks,” Symantec said. “It is typically used by the attackers to drop other tools and files and to move laterally across the victim network.”
Some of the other tools deployed over the course of a Medusa ransomware attack include Navicat to access and run database queries, RoboCopy, and Rclone for data exfiltration.
“Like most targeted ransomware groups, Spearwing tends to attack large organizations across a range of sectors,” Symantec said. “Ransomware groups tend to be driven purely by profit, and not by any ideological or moral considerations.”
