The threat actor behind the Medusa ransomware has claimed nearly 400 casualties since its first appearance in January 2023, and the financially motivated attack witnessed a 42% increase between 2023 and 2024.
According to data from the Symantec Threat Hunter team, in the first two months of 2025 alone, the group claims more than 40 attacks. Cybersecurity companies track clusters under the name Spearwing.
“Like most ransomware operators, Spearwing and its affiliates will carry out double horror attacks, stealing victims’ data and putting pressure on victims to encrypt their networks and paying ransom,” Symantec said.
“If the victim refuses to pay, the group will threaten to release the stolen data from the data leak site.”
Other ransomware (RAAS) players as services like Ransomhub (aka Greenbottle and Cyclops), Play (aka Balloonfly), Qilin (aka Agenda, Stinkbug, and Water Galura) have benefited from the disruption of Blackbit and Blackcat’s chaos, a threat to rockbit and blackcat’s chaos. By two prolific fearful lorists.
It has been appearing in the wild in recent months as the ransomware landscape continues to be in fluid state and new Raas operations such as Anubis, Schifer Locker, Core, Dange, lcryx, Roche, Vgod, Xelera are stable.
Medusa has a track record of tough ransoms from healthcare providers and nonprofits ranging from $15 million to $100,000, and targets financial and government organizations.
Attack chains attached to ransomware syndicates primarily utilize known security flaws in published Microsoft Exchange Server applications, providing initial access. It is also suspected that threat actors are using early access brokers to violate networks of interest.
Once the scaffolding is successful, hackers use remote management and monitoring (RMM) software such as simplehelp, anydesk, or meshagent to terminate the antivirus process using Killav, using proven tested tests, using Vulnerable Driver (BYOVD) techniques. It is worth pointing out that Killav has been used previously in black cat ransomware attacks.
“The use of legitimate RMM software PDQ deployments is another feature of Medusa ransomware attacks,” Symantec said. “Usubordinarily, attackers are used to drop other tools and files and move the victim network sideways.”
Other tools deployed during the course of the Medusa ransomware attack include database queries, robo copying, and NAVICAT to access and run RCLONE.
“Like most targeted ransomware groups, Spearwing tends to attack large organizations across a variety of sectors,” Symantec said. “Ransomware groups tend to be driven purely by profit, not ideological or moral considerations.”
Source link
