Request a Demo
Rewterz
GuLoader Malspam Campaign – Active IOCs
March 11, 2025
Rewterz
Multiple WordPress Plugins Vulnerabilities
March 11, 2025

Medusa Ransomware – Active IOCs

Severity

High

Analysis Summary

The Medusa ransomware group has claimed nearly 400 victims since its emergence in January 2023, with attacks rising 42% from 2023 to 2024. In early 2025, the group launched over 40 attacks, according to research team, which tracks it as Spearwing. Medusa operates a double extortion model, stealing data before encrypting systems and threatening to leak it if victims refuse to pay ransoms ranging from $100,000 to $15 million.

Following disruptions to LockBit and BlackCat, Medusa appears to be filling the gap, alongside other emerging ransomware-as-a-service (RaaS) groups like RansomHub, Play, Qilin, Anubis, CipherLocker, and Xelera. The group's primary targets include healthcare, non-profits, financial institutions, and government organizations.

Medusa gains initial access by exploiting vulnerabilities in public-facing applications, especially Microsoft Exchange Server, and likely collaborates with initial access brokers. Once inside, attackers deploy remote management tools like SimpleHelp, AnyDesk, and MeshAgent for persistence and use Bring Your Own Vulnerable Driver (BYOVD) techniques via KillAV to disable antivirus defenses.

They also leverage PDQ Deploy for lateral movement and drop additional tools such as Navicat for database access, RoboCopy, and Rclone for data exfiltration. Symantec emphasizes that Spearwing attacks large organizations across multiple sectors, prioritizing financial gain over ideological motives. The ransomware landscape remains in flux, with Medusa capitalizing on recent disruptions to established cybercriminal groups.

Impact

  • Security Bypass
  • Financial Loss
  • Data Exfiltration

Indicators of Compromise

MD5

  • e6f8eff9b25e4bed709a188db459587d

  • f4f22e22520cd80ca5d56fccac0aa619

  • 7cfefe093b45ee763c047585ccd9c43e

  • 8ff1f8563f3374db82b1d790fa9dd51e

  • 9e82ee5bde6b5d29281a3c280e6d1f2e

  • 03af2bf85923ce0fda7c20f8f82839c9

  • 9f829f7343d5d5da7c397fa6efda4a4e

SHA-256

  • c28fa95a5d151d9e1d7642915ec5a727a2438477cae0f26f0557b468800111f9

  • dbe480495be5abc23437b5e916fa0368c617e4dbd58d9ed7ea303b102a6dc3b1

  • b1553dfee1da93fd2dedb0755230ce4e21d4cb78cfc369de29d29d04db1fe013

  • 5f9d864d11c79b34c4502edba7d0e007197d0df086a6fb9d6bfda84a1771ff0f

  • b7703a59c39a0d2f7ef6422945aaeaaf061431af0533557246397551b8eed505

  • df6cb5199c272c491b3a7ac44df6c4c279d23f7c09daed758c831b26732a4851

  • 9632d7e4a87ec12fdd05ed3532f7564526016b78972b2cd49a610354d672523c

SHA1

  • 5a55edf81ace94378e9d1349c76c1d68e5f3cdbc

  • a220fdb0bb8af79f9ccfeeb1d007181cfadbd612

  • a17689181b789724ae47f9e6646ab732064c3dd3

  • 5dba3d91c5347e7bb9afd6a0ece4204f97f47a18

  • 75f85caea52fe5a124fa77e2934abd3161690add

  • 54547180a99474b0dba289d92c4a8f3eea78b531

  • 211500fa181ee200bf9bdd42a1ab0288a7f0cf69

Remediation

  • Regularly update and patch vulnerabilities, especially in public-facing applications like Microsoft Exchange Server.
  • Implement strong authentication (MFA) and limit administrative privileges.
  • Deploy advanced EDR/XDR solutions to detect and block malicious activities.
  • Restrict lateral movement by segmenting critical systems.
  • Audit and restrict the use of remote management software like PDQ Deploy, AnyDesk, and SimpleHelp.
  • Maintain offline, encrypted backups and test restoration processes regularly.
  • Stay updated on emerging ransomware tactics and IOCs (Indicators of Compromise).
  • Conduct regular cybersecurity awareness training to prevent phishing and social engineering attacks.
  • Develop and test an incident response plan to quickly mitigate attacks.
  • Enforce a zero-trust architecture to minimize unauthorized access risks.