Medusa ransomware operators have claimed nearly 400 victims since their emergence in January 2023, with attacks increasing by 42% between 2023 and 2024. According to Symantec’s Threat Hunter Team, which tracks the group under the name Spearwing, over 40 attacks have already occurred in the first two months of 2025 alone.

The group employs double extortion tactics, stealing data before encrypting networks to pressure victims into paying ransoms. If payment is refused, the stolen data is published on their leak site.

This surge in Medusa infections suggests the threat actor may be capitalizing on the void left by disruptions to major ransomware groups like LockBit and BlackCat. Meanwhile, the ransomware landscape continues evolving with new RaaS operations including Anubis, CipherLocker, Core, Dange, LCRYX, Loches, Vgod, and Xelera.

Medusa typically demands ransoms ranging from $100,000 to $15 million, targeting healthcare providers, non-profits, financial institutions, and government organizations. Their attack methodology includes:

– Exploiting vulnerabilities in public-facing applications, particularly Microsoft Exchange Server
– Likely utilizing initial access brokers to breach networks
– Deploying remote management tools like SimpleHelp, AnyDesk, or MeshAgent for persistence
– Using the BYOVD technique with KillAV to terminate antivirus processes
– Leveraging PDQ Deploy for lateral movement and tool deployment
– Utilizing Navicat, RoboCopy, and Rclone for database access and data exfiltration

Symantec notes that Spearwing, like most ransomware groups, targets large organizations across various sectors and is “driven purely by profit, and not by any ideological or moral considerations.”