The Medusa ransomware threat continues to escalate, with attacks increasing by 42% between 2023 and 2024, according to the latest report from Symantec’s Threat Hunter Team. Even more concerning, nearly twice as many Medusa ransomware attacks were observed in January and February 2025 compared to the same period in 2024.
Medusa is believed to be operated by Spearwing, a cybercriminal group running the ransomware under a Ransomware-as-a-Service (RaaS) model. Like many ransomware operators, Spearwing employs a double extortion strategy, first stealing data before encrypting victims’ systems. If a ransom isn’t paid, the stolen data is published on their Medusa Leaks site.
- Almost 400 victims have been publicly listed, but the true number is likely much higher.
- Ransom demands range from $100,000 to $15 million.
- The decline of ransomware groups like LockBit and Noberus in 2023-2024 left a vacuum, allowing Medusa to gain prominence.
Notably, Medusa should not be confused with the older MedusaLocker ransomware—Spearwing appears to operate independently of that variant.
Medusa attacks typically begin with exploiting vulnerabilities in public-facing applications, particularly Microsoft Exchange Servers. However, Spearwing has also been observed using:
- Hijacked legitimate accounts (possibly acquired through Initial Access Brokers).
- Remote Monitoring and Management (RMM) tools like SimpleHelp, AnyDesk, and Mesh Agent to maintain remote access.
Once inside a network, Medusa affiliates deploy a well-structured attack chain featuring:
Attackers deploy signed but vulnerable drivers to disable security solutions. This technique, increasingly popular among ransomware groups, allows them to evade detection.
One of Medusa’s hallmarks is its heavy reliance on PDQ Deploy, a legitimate IT management tool. Symantec researchers found that PDQ Deploy was used in nearly two-thirds of observed Medusa attacks.
Before deploying the ransomware payload, attackers exfiltrate sensitive data using:
- Rclone – Often renamed (lsp.exe) to evade detection.
- Robocopy – A Windows command-line utility used to copy large volumes of data.
Once Medusa encrypts files, victims receive a ransom note named !READ_ME_MEDUSA!!!.txt, informing them that failure to pay will result in public exposure of their stolen data.
The ransomware avoids encrypting system files and uses arguments to customize its execution, including:
-Vto display the ransomware version.-dto prevent self-deletion.-nto include network drives.-pto skip certain preprocessing steps.
Victims are typically given 10 days to pay, with a $10,000 per day penalty for extensions.
Medusa doesn’t discriminate when selecting victims—financial institutions, healthcare providers, governments, and non-profits have all been hit. The ransomware group appears to be financially motivated, with no ideological agenda.
In January 2025, a major U.S. healthcare organization fell victim to Medusa, with hundreds of machines compromised.
Notable Attack Details:
- The attacker remained undetected for four days before launching the final ransomware payload.
- Mesh Agent and SimpleHelp were installed to maintain access.
- Rclone was used to exfiltrate data before encryption.
- The ransomware binary (gaze.exe) was deployed via PDQ Deploy.
- Attackers attempted to create shadow copies but initially typed the command incorrectly, suggesting human-operated attacks rather than full automation.
Unlike other Ransomware-as-a-Service (RaaS) groups, Medusa’s attack chains remain highly consistent. Symantec suggests three possible reasons for this:
- Spearwing itself conducts many of the attacks, rather than outsourcing them.
- Only a small group of trusted affiliates use Medusa.
- Spearwing provides a strict attack playbook, dictating how Medusa should be deployed.
This structured approach differs from more decentralized RaaS groups like LockBit, which allows affiliates greater flexibility in attack execution.
Related Posts:
- Medusa Ransomware: A Sinister Evolution in Cyber Extortion
- Medusa Exploits Fortinet Flaw (CVE-2023-48788) for Stealthy Ransomware Attacks
