Medusa Ransomware Targeted Over 40 Organizations in 2025
In a concerning development, the Medusa ransomware gang has claimed responsibility for over 40 attacks between January and February 2025. This surge in activity marks a significant increase from previous years, with experts tracking nearly 400 victims since January 2023. The Symantec Threat Hunter Team has reported a staggering 42% rise in attacks carried out by the Medusa ransomware group between 2023 and 2024.
A Growing Threat Landscape
The Medusa ransomware operators have been carrying out double extortion attacks, stealing victims' sensitive data before encrypting their networks. This tactic is designed to increase pressure on organizations to pay a ransom, with demands ranging from $100,000 to $15 million. The group has been targeting known vulnerabilities, primarily in Exchange Server, and is believed to rely on initial access brokers to gain access to target infrastructure.
Using RMM Tools and Tactics
The Medusa ransomware attackers have been employing a range of tools and tactics to maintain persistence and exfiltrate data. Remote management and monitoring (RMM) tools like SimpleHelp and AnyDesk are used to keep the ransomware within the network, while BYOVD with KillAV is employed to disable antivirus software. The group also uses PDQ Deploy to drop tools, files, and move laterally across victim networks.
A Focus on Healthcare, Non-Prosits, Finance, and Government
The Medusa ransomware gang has been targeting organizations in healthcare, non-profit sectors, finance, and government. This focus on high-value targets suggests that the group is prioritizing sectors with significant resources and sensitive data. Experts speculate that the ransomware group relies on these tactics to maximize their profits.
A Shift in the RaaS Landscape
The emergence of Medusa ransomware marks a shift in the RaaS (Ransomware-as-a-Service) landscape, which has seen disruptions to LockBit and BlackCat. This evolution highlights the need for stronger cybersecurity defenses as threat actors continue to adapt and innovate.
A Message from Symantec
The researchers at Symantec conclude that "Like most targeted ransomware groups, Spearwing tends to attack large organizations across a range of sectors." They also note that "Ransomware groups tend to be driven purely by profit, and not by any ideological or moral considerations."
A Call to Action
As the threat landscape continues to evolve, it is essential for organizations to prioritize cybersecurity and take proactive measures to protect themselves against targeted ransomware attacks. By staying informed and vigilant, businesses can reduce their risk of falling victim to Medusa ransomware and other emerging threats.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon