Pierluigi Paganini
March 07, 2025
The Symantec Threat Hunter Team reported that the Medusa ransomware operators have claimed nearly 400 victims since January 2023. Experts observed a 42% increase in attacks carried out by the group between 2023 and 2024. Experts tracked the Medusa ransomware activity as Spearwing.
“Like the majority of ransomware operators, Spearwing and its affiliates carry out double extortion attacks, stealing victims’ data before encrypting networks in order to increase the pressure on victims to pay a ransom,” reads the report published by Symantec.
Medusa demands ransoms from $100,000 to $15 million, victims are organizations in healthcare, non-profits, finance, and government sectors. The group targets known vulnerabilities, mainly in Exchange Server. The researchers speculate that the ransomware group relies on initial access brokers to access target infrastructure.
Upon gaining initial access to the target, Medusa hackers use remote management and monitoring (RMM) tools like SimpleHelp and AnyDesk for maintaining persistence and employ BYOVD with KillAV to disable antivirus, a tactic seen in BlackCat and RansomHub ransomware operations.
Symatec researchers highlighted that Medusa ransomware attackers use PDQ Deploy to drop tools, files, and move laterally across victim networks.
Medusa ransomware attackers use Navicat for database access, and RoboCopy and Rclone for data exfiltration.
Medusa ransomware is expanding amid disruptions to LockBit and BlackCat, highlighting the evolving RaaS landscape and the need for stronger cybersecurity defenses.
“Like most targeted ransomware groups, Spearwing tends to attack large organizations across a range of sectors,” Symantec concludes. “Ransomware groups tend to be driven purely by profit, and not by any ideological or moral considerations.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
