Medusa ransomware attacks have surged by 42% between 2023 and 2024, with the trend continuing into early 2025.
Operated under a Ransomware-as-a-Service (RaaS) model by a group tracked as “Spearwing,” this ransomware has targeted organizations across various sectors, leveraging advanced techniques and tools to maximize disruption and extortion.
Symantec’s Threat Hunter Team has reported nearly double the number of Medusa attacks in the first two months of 2025 compared to the same period in 2024.
Medusa employs a double-extortion strategy, combining data theft with network encryption to pressure victims into paying ransoms ranging from $100,000 to $15 million.
If victims refuse, stolen data is published on a dedicated leaks site.
Since its emergence in early 2023, Spearwing has listed almost 400 victims on its site, though the actual number is likely higher.
This rise coincides with a power vacuum left by law enforcement crackdowns on major ransomware groups like LockBit and Noberus.
Exploiting Vulnerabilities and Leveraging Dual-Use Tools
Spearwing primarily gains access to networks by exploiting unpatched vulnerabilities in public-facing applications, particularly Microsoft Exchange Servers.
In some cases, attackers hijack legitimate accounts or use initial access brokers for infiltration.
Once inside, they deploy a range of tools for persistence, lateral movement, and disabling security defenses.
Key tools include remote management software like SimpleHelp and AnyDesk, as well as Mesh Agent for remote access.
Attackers also use the “Bring Your Own Vulnerable Driver” (BYOVD) technique to disable security software by exploiting signed but vulnerable drivers.
Notably, KillAV drivers and associated binaries are frequently employed for this purpose.
PDQ Deploy, a legitimate patch management tool, is another hallmark of Medusa attacks.
It is used to drop malicious payloads and move laterally within networks.
Other tools like Navicat (for database queries), Rclone (for data exfiltration), and RoboCopy (for file transfers) are also part of the attack chain.
Network scanners such as NetScan facilitate reconnaissance, while credential-dumping tools target sensitive information.
Consistency in Attack Techniques Raises Questions
The tactics, techniques, and procedures (TTPs) employed in Medusa attacks have remained consistent since its inception.
This raises questions about Spearwing’s operational model. Unlike typical RaaS groups that work with numerous affiliates using varied methods, Spearwing appears to either execute attacks directly or provide affiliates with a standardized playbook.
Medusa has targeted large organizations across sectors such as healthcare, finance, government, and non-profits.
A notable example occurred in January 2025 when a U.S.-based healthcare provider suffered an attack that infected hundreds of machines.
The attackers staged tools like Rclone for data exfiltration before deploying the ransomware payload.
Encrypted files are appended with the “.medusa” extension, and victims receive ransom notes titled “!READ_ME_MEDUSA!!!.txt.”
Victims are given ten days to pay before data is published online, with penalties of $10,000 per day for deadline extensions.
The rapid growth of Medusa ransomware highlights the evolving threat landscape driven by RaaS models.
Organizations must prioritize patch management, robust endpoint protection, and employee training to mitigate risks associated with such sophisticated attacks.
