The risk actors behind the Medusa ransomware have claimed almost 400 victims because it first emerged in January 2023, with the financially motivated assaults witnessing a 42% enhance between 2023 and 2024.
Within the first two months of 2025 alone, the group has claimed over 40 assaults, in keeping with information from the Symantec Risk Hunter Group stated in a report shared with The Hacker Information. The cybersecurity firm is monitoring the cluster beneath the title Spearwing.
“Like nearly all of ransomware operators, Spearwing and its associates perform double extortion assaults, stealing victims’ information earlier than encrypting networks with the intention to enhance the strain on victims to pay a ransom,” Symantec famous.
“If victims refuse to pay, the group threatens to publish the stolen information on their information leaks website.”
Whereas different ransomware-as-a-service (RaaS) gamers like RansomHub (aka Greenbottle and Cyclops), Play (aka Balloonfly), and Qilin (aka Agenda, Stinkbug, and Water Galura) have benefited from the disruptions of LockBit and BlackCat, the spike in Medusa infections raises the chance that the risk actor may be dashing in to fill the hole left by the 2 prolific extortionists.
The event comes because the ransomware panorama continues to be in a state of flux, with a gentle stream of recent RaaS operations, similar to Anubis, CipherLocker, Core, Dange, LCRYX, Loches, Vgod, and Xelera, rising within the wild in latest months.
Medusa has a observe file of demanding ransoms anyplace between $100,000 as much as $15 million from healthcare suppliers and non-profits, in addition to focusing on monetary and authorities organizations.
Assault chains mounted by the ransomware syndicate contain the exploitation of identified safety flaws in public-facing functions, primarily Microsoft Trade Server, to acquire preliminary entry. It is also suspected that the risk actors are doubtless utilizing preliminary entry brokers for breaching networks of curiosity.
As soon as gaining a profitable foothold, the hackers drop use distant administration and monitoring (RMM) software program similar to SimpleHelp, AnyDesk, or MeshAgent for persistent entry, and make use of the tried-and-tested Convey Your Personal Susceptible Driver (BYOVD) method to terminate antivirus processes utilizing KillAV. It is value stating that KillAV has been beforehand put to make use of in BlackCat ransomware assaults.
“Using the reliable RMM software program PDQ Deploy is one other hallmark of Medusa ransomware assaults,” Symantec stated. “It’s sometimes utilized by the attackers to drop different instruments and recordsdata and to maneuver laterally throughout the sufferer community.”
A number of the different instruments deployed over the course of a Medusa ransomware assault embrace Navicat to entry and run database queries, RoboCopy, and Rclone for information exfiltration.
“Like most focused ransomware teams, Spearwing tends to assault giant organizations throughout a variety of sectors,” Symantec stated. “Ransomware teams are typically pushed purely by revenue, and never by any ideological or ethical issues.”