Medusa ransomware has claimed over 40 victims within the first two months of 2025, together with a confirmed assault on a US healthcare group.
That is nearly twice the variety of Medusa assaults noticed in January and February 2024, in line with new evaluation by Symantec’s risk looking crew.
In whole, Medusa has listed nearly 400 victims on its knowledge leaks website since first changing into energetic in early 2023.
The cybersecurity agency believes the true variety of victims is probably going a lot larger. The findings don’t account for victims who paid a ransom to cease the stolen info being revealed.
Ransoms demanded by attackers utilizing the Medusa ransomware have ranged from $100,000 as much as $15m.
Medusa’s claimed victims has elevated up to now 12 months. The ransomware operators have seemingly taken benefit of the decline of massive identify ransomware-as-a-service (RaaS) teams similar to BlackCat and LockBit following regulation enforcement motion in 2023 and 2024.
Medusa is believed to be operated as RaaS by a bunch Symantec tracks as Spearwing.
The present Medusa ransomware is totally different to the older MedusaLocker variant, which Spearwing shouldn’t be believed to have any hyperlink to.
How Medusa Attackers Function
Medusa makes use of double-extortion techniques, stealing victims’ knowledge earlier than encrypting networks so as to improve the stress on victims to pay a ransom.
The researchers consider that Spearwing and its associates often acquire preliminary entry by exploiting unpatched vulnerabilities in public-facing purposes, notably Microsoft Change Servers.
They then deploy a wide range of living-off-the-land and legit instruments to evade detection, obtain lateral motion and exfiltrate knowledge earlier than encrypting programs.
These embody:
- Distant administration and monitoring (RMM) software program similar to SimpleHelp or AnyDesk to obtain drivers
- The RMM PDQ Deploy to drop different instruments and transfer laterally throughout the sufferer community
- Use of the Deliver Your Personal Weak Driver (BYOVD) method, during which attackers deploy a signed weak driver to the goal community, which they then exploit to disable safety software program and evade detection
- Instruments used to seek for and duplicate related knowledge for exfiltration, similar to Navicat and RoboCopy
As soon as the ransomware is executed, the .medusa extension is added to encrypted information and a ransom word named !READ_ME_MEDUSA!!!.txt is dropped on encrypted machines.
The ransom quantity demanded varies relying on the victims, who’re given 10 days to pay and are charged $10,000 per day in the event that they need to prolong this deadline.
Medusa may also delete itself from sufferer machines as soon as the ransom is executed, making it more durable for investigators to find out the supply of the assault.
The Symantec researchers mentioned the Medusa TTPs have remained constant since early 2023. This implies that Spearwing works with a small variety of associates and offers them with a playbook as to how the assaults needs to be carried out and the assault chain to make use of.
Medusa Ransomware Assaults on Healthcare
Symantec highlighted a Medusa assault on an unnamed US healthcare group in January 2025, which contaminated tons of of machines.
The attacker exercise first occurred on the community 4 days earlier than the ransomware was deployed, highlighting the development of elevated dwell time in sufferer networks to establish knowledge of worth to exfiltrate.
The researchers discovered indications of “hands-on-keyboard exercise” slightly than it being an automatic assault.
In a brand new evaluation, client web site Comparitech reported seven of the 959 confirmed ransomware assaults in February impacted healthcare.
Comparitech discovered that Medusa was liable for three of the seven healthcare assaults, two within the US and one within the UK.
- SimonMed Imaging – Medusa claimed on its website that it stole 2013 GB of information from the medical imaging supplier. Nonetheless, the US agency mentioned it had “interrupted” the attackers and no knowledge was encrypted
- Bell Ambulance – the Wisconsin-based ambulance supplier notified staff of an assault in mid-February. Medusa claimed it had issued a $400,000 ransom demand to the agency for the 212 GB it had stolen
- HCRG Care Group – The unbiased UK care group confirmed it had suffered a ransomware assault. Medusa claimed to have issued a $2m ransom demand after the alleged theft of almost 2.3 TB of information
