The number of Medusa ransomware attacks has been steadily increasing over the past two years and doubled in the first two months of 2025 compared to the same period last year, Symantec reports.
First seen in early 2023, Medusa operates under the ransomware-as-a-service (RaaS) model, with its affiliates targeting organizations in healthcare, manufacturing, education, and other sectors in the US, Australia, Israel, India, Portugal, the UK, UAE, and other countries.
Engaging in double-extortion tactics, stealing victims’ data, and threatening to release it publicly unless a ransom is paid, Medusa’s operators have listed roughly 400 victims on their Tor-based leak site.
Tracked as Spearwing and Storm-1175, the ransomware group has been demanding ransom payments ranging between $100,000 and $15 million.
According to Symantec, the number of Medusa ransomware attacks grew 42% between 2023 and 2024, and the activity continues to increase.
As law enforcement took action against known ransomware gangs such as BlackCat and LockBit, Medusa has risen to fill the gap along with groups such as RansomHub and Qilin.
According to Symantec, Medusa’s affiliates have been targeting unpatched vulnerabilities in internet-facing appliances, mainly in Microsoft Exchange Server. However, the group was also seen targeting VMware ESXi and Mirth Connect flaws.
In some instances, the hackers likely hijacked legitimate accounts, possibly using “initial access brokers for infiltration,” Symantec notes.
After gaining access to a network, the attackers were seen deploying living-off-the-land and dual-use tools, including AnyDesk, Mesh Agent, PDQ Deploy, and SimpleHelp remote access tools, KillAVDriver, KillAV, Navicat, NetScan, PDQ Inventory, Rclone, and Robocopy.
Spearwing and its affiliates used these tools for remote access, to deploy and abuse vulnerable drivers to disable security tools, move laterally, run database queries, scan networks, exfiltrate data, dump credentials, and delete shadow copies.
According to Symantec, the group develops the Medusa ransomware itself, while also carrying out many of the attacks. It only has a small number of affiliates, providing them with both the file-encrypting ransomware and with an attack playbook.
Following a successful attack, the victim’s files are encrypted and appended the .medusa extension, a ransom note is dropped on the system, and the Medusa ransomware is deleted. The group demands that a ransom be paid within 10 days, but allows victims to extend the deadline for $10,000 per day.
In January 2025, the group hit a US healthcare organization, lingering in its network for four days before deploying file-encrypting ransomware. Based on some of the executed commands, Symantec believes that it was a hands-on-keyboard attack, rather than automated activity.
Related: Ransomware Group Claims Attack on Tata Technologies
Related: Vulnerable Paragon Driver Exploited in Ransomware Attacks
Related: New Anubis Ransomware Could Pose Major Threat to Organizations
Related: Chinese APT Tools Found in Ransomware Schemes, Blurring Attribution Lines
