The hacker collective behind the Medusa ransomware has targeted nearly 400 organizations over the past two years, with its operational tempo accelerating at an alarming rate. According to Symantec researchers, the group launched more than 40 attacks in just the first two months of 2025, indicating a significant surge in activity.
Symantec tracks this cybercriminal syndicate under the name Spearwing. Like many other ransomware operators, the group employs a double-extortion strategy—first exfiltrating victims’ data before encrypting it, thereby intensifying pressure to secure ransom payments. Should victims refuse to comply, the stolen data is published on their dedicated leak site.
The recent spike in Medusa’s attacks coincides with disruptions within two of the largest ransomware groups—LockBit and BlackCat. Their operational setbacks have created a power vacuum, enabling emerging players like RansomHub, Play, and Qilin to gain traction. Against this backdrop, Medusa is aggressively expanding its reach, seemingly vying for a dominant position in the ransomware landscape.
The ransomware-as-a-service (RaaS) market remains in a state of continuous flux, with new actors constantly emerging. In recent months, attacks have been attributed to newly surfaced RaaS operations, including Anubis, CipherLocker, Core, Dange, LCRYX, Loches, Vgod, and Xelera.
Unlike many of its competitors, Medusa does not confine itself to a specific industry. The group has been observed targeting government agencies, financial institutions, healthcare facilities, and nonprofit organizations alike.
Ransom demands vary widely, ranging from $100,000 to as much as $15 million, depending on the profile and financial capacity of the victim.
Medusa’s entry strategy hinges on exploiting vulnerabilities in publicly accessible services, with Microsoft Exchange Server being a frequent target. Additionally, there is strong evidence suggesting that the group leverages access brokers, purchasing compromised credentials and network footholds from third parties specializing in corporate system breaches.
Once inside a compromised network, Medusa operators deploy remote administration tools, such as SimpleHelp, AnyDesk, and MeshAgent, to retain persistent access.
The group also employs the Bring Your Own Vulnerable Driver (BYOVD) technique, which leverages compromised drivers to disable antivirus defenses. Specifically, they utilize the KillAV utility, a tool previously linked to BlackCat operations, to terminate security solutions and evade detection.
One of Medusa’s hallmark tactics is the use of PDQ Deploy, a remote deployment tool exploited to install additional payloads and facilitate lateral movement across the victim’s network.
Other tools frequently observed in Medusa’s attacks include:
- Navicat – utilized for database access and manipulation
- RoboCopy and Rclone – leveraged for data exfiltration
According to Symantec analysts, Medusa and its affiliate groups operate with a purely financial agenda, devoid of any ideological motivations. Their indiscriminate targeting of high-profile enterprises across multiple sectors establishes them as a formidable and escalating threat to the corporate world.
