Analysis Summary

The Medusa ransomware group has claimed nearly 400 victims since its emergence in January 2023, with attacks rising 42% from 2023 to 2024. In early 2025, the group launched over 40 attacks, according to research team, which tracks it as Spearwing. Medusa operates a double extortion model, stealing data before encrypting systems and threatening to leak it if victims refuse to pay ransoms ranging from $100,000 to $15 million.

Following disruptions to LockBit and BlackCat, Medusa appears to be filling the gap, alongside other emerging ransomware-as-a-service (RaaS) groups like RansomHub, Play, Qilin, Anubis, CipherLocker, and Xelera. The group's primary targets include healthcare, non-profits, financial institutions, and government organizations.

Medusa gains initial access by exploiting vulnerabilities in public-facing applications, especially Microsoft Exchange Server, and likely collaborates with initial access brokers. Once inside, attackers deploy remote management tools like SimpleHelp, AnyDesk, and MeshAgent for persistence and use Bring Your Own Vulnerable Driver (BYOVD) techniques via KillAV to disable antivirus defenses.

They also leverage PDQ Deploy for lateral movement and drop additional tools such as Navicat for database access, RoboCopy, and Rclone for data exfiltration. Symantec emphasizes that Spearwing attacks large organizations across multiple sectors, prioritizing financial gain over ideological motives. The ransomware landscape remains in flux, with Medusa capitalizing on recent disruptions to established cybercriminal groups.