Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

Medusa Ransomware Attacks Increase

The number of Medusa ransomware attacks observed in the first two months of 2025 doubled compared to the same period last year.

The number of Medusa ransomware attacks has been steadily increasing over the past two years and doubled in the first two months of 2025 compared to the same period last year, Symantec reports.

First seen in early 2023, Medusa operates under the ransomware-as-a-service (RaaS) model, with its affiliates targeting organizations in healthcare, manufacturing, education, and other sectors in the US, Australia, Israel, India, Portugal, the UK, UAE, and other countries.

Engaging in double-extortion tactics, stealing victims’ data, and threatening to release it publicly unless a ransom is paid, Medusa’s operators have listed roughly 400 victims on their Tor-based leak site.

Tracked as Spearwing and Storm-1175, the ransomware group has been demanding ransom payments ranging between $100,000 and $15 million.

According to Symantec, the number of Medusa ransomware attacks grew 42% between 2023 and 2024, and the activity continues to increase.

As law enforcement took action against known ransomware gangs such as BlackCat and LockBit, Medusa has risen to fill the gap along with groups such as RansomHub and Qilin.

Advertisement. Scroll to continue reading.

According to Symantec, Medusa’s affiliates have been targeting unpatched vulnerabilities in internet-facing appliances, mainly in Microsoft Exchange Server. However, the group was also seen targeting VMware ESXi and Mirth Connect flaws.

In some instances, the hackers likely hijacked legitimate accounts, possibly using “initial access brokers for infiltration,” Symantec notes.

After gaining access to a network, the attackers were seen deploying living-off-the-land and dual-use tools, including AnyDesk, Mesh Agent, PDQ Deploy, and SimpleHelp remote access tools, KillAVDriver, KillAV, Navicat, NetScan, PDQ Inventory, Rclone, and Robocopy.

Spearwing and its affiliates used these tools for remote access, to deploy and abuse vulnerable drivers to disable security tools, move laterally, run database queries, scan networks, exfiltrate data, dump credentials, and delete shadow copies.

According to Symantec, the group develops the Medusa ransomware itself, while also carrying out many of the attacks. It only has a small number of affiliates, providing them with both the file-encrypting ransomware and with an attack playbook.

Following a successful attack, the victim’s files are encrypted and appended the .medusa extension, a ransom note is dropped on the system, and the Medusa ransomware is deleted. The group demands that a ransom be paid within 10 days, but allows victims to extend the deadline for $10,000 per day.

In January 2025, the group hit a US healthcare organization, lingering in its network for four days before deploying file-encrypting ransomware. Based on some of the executed commands, Symantec believes that it was a hands-on-keyboard attack, rather than automated activity.

Related: Ransomware Group Claims Attack on Tata Technologies

Related: Vulnerable Paragon Driver Exploited in Ransomware Attacks

Related: New Anubis Ransomware Could Pose Major Threat to Organizations

Related: Chinese APT Tools Found in Ransomware Schemes, Blurring Attribution Lines

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Sherrod DeGrippo has been appointed Head of Threat Intelligence for Palo Alto Networks Unit 42.

Christopher Porter has joined Booz Allen Hamilton as Global Chief Information Security Officer.

Yael Ben Arie has joined exposure validation company Pentera as Chief Product Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.