Following the pattern of most modern ransomware operators, Spearwing and its affiliates implement double extortion attacks, first stealing victims’ data before encrypting networks to increase pressure on victims to pay ransoms. In almost all observed Medusa attacks, the operators employ a technique known as Bring Your Own Vulnerable Driver (BYOVD), deploying KillAV and associated vulnerable drivers to disable security software and evade detection. The recent decline of well-known ransomware groups like Noberus and LockBit following law enforcement actions in 2023 and 2024 has created opportunities for groups like Medusa to expand their operations and fill the resulting gap in the ransomware ecosystem. Medusa ransomware attacks have surged by 42% between 2023 and 2024, with activity continuing to escalate into 2025. The growing prevalence of these attacks can be clearly seen in the data visualization from the Medusa leaks site, which tracks the steadily increasing attack frequency over the past two years. Almost twice as many Medusa attacks were observed in January and February 2025 compared to the first two months of 2024, indicating a concerning trend in this evolving threat landscape. When Medusa operators compromise a network, they typically utilize remote management and monitoring software such as SimpleHelp or AnyDesk to establish access and download additional tools. Ransoms demanded by attackers using the Medusa ransomware have varied widely, ranging from $1,000 up to $15 million, with victims typically given 10 days to pay. What makes Medusa particularly challenging for forensic analysis is its ability to delete itself from victim machines once encryption is complete, complicating investigation efforts into these increasingly prevalent attacks. The ransomware contains sophisticated capabilities, accepting multiple arguments that perform various tasks, including version display (-V), system folder exclusion (-f), network drive usage (-n), and self-deletion prevention (-d). Analysts at Symantec noted that the Medusa ransomware is reportedly operated as a ransomware-as-a-service (RaaS) by a group tracked as Spearwing. The ransomware itself adds the .medusa extension to encrypted files and drops a ransom note named !READ_ME_MEDUSA!!!.txt on affected systems. Since becoming active in early 2023, Spearwing has accumulated hundreds of victims, with almost 400 organizations listed on their data leaks site, though the actual number is likely much higher. Medusa attacks follow a distinctive pattern, with PDQ Deploy being a particularly common tool in their arsenal. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.
This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 10 Mar 2025 14:00:13 +0000