Medusa Ransomware: Rising Threat with Nearly 400 Victims Since 2023

The Medusa ransomware gang has significantly increased its attacks, claiming nearly 400 victims since its emergence in January 2023. Recent reports indicate that the financially motivated cybercriminals have escalated their operations, with a 42% rise in attacks between 2023 and 2024.

A Surge in Attacks in 2025

In just the first two months of 2025, Medusa has already been linked to over 40 new attacks, according to the Symantec Threat Hunter Team. The cybersecurity firm, tracking this cluster under the name Spearwing, highlights that Medusa follows the double extortion model—stealing victims’ sensitive data before encrypting their systems to maximize pressure for ransom payments.

The surge in Medusa infections raises concerns that the group may be attempting to fill the gap left by the recent disruptions of LockBit and BlackCat, two of the most prolific ransomware groups dismantled by law enforcement. Other ransomware-as-a-service (RaaS) groups, such as RansomHub, Play, and Qilin, have similarly capitalized on this shift in the cyber extortion landscape.

Medusa’s Expanding Target List

Medusa is known for demanding ransoms ranging from $100,000 to $15 million, impacting a variety of sectors including:

• Healthcare providers

• Non-profits

• Financial institutions

• Government agencies

Attack Techniques: Exploiting Security Flaws

Medusa ransomware attacks typically begin with exploiting known security vulnerabilities in public-facing applications, primarily Microsoft Exchange Server. This method suggests that initial access brokers (IABs) could be selling compromised credentials to Medusa affiliates.

Once inside the victim’s network, Medusa actors use remote management and monitoring (RMM) tools such as:

• SimpleHelp

• AnyDesk

• MeshAgent

For persistent access, attackers often employ the Bring Your Own Vulnerable Driver (BYOVD) technique, which is used to disable antivirus software through tools like KillAV, a method also linked to BlackCat ransomware attacks.

Use of Legitimate Tools for Lateral Movement

To expand their control within a compromised network, Medusa operators utilize various legitimate IT tools:

• PDQ Deploy – Used to drop additional malicious tools and move laterally.

• Navicat – Enables access to databases and execution of queries.

• RoboCopy & Rclone – Employed for data exfiltration, ensuring stolen data is transferred before encryption.

The Ransomware Landscape in Flux

The ransomware ecosystem remains highly volatile, with numerous new RaaS groups emerging, including:

• Anubis

• CipherLocker

• Core

• Dange

• LCRYX

• Loches

• Vgod

• Xelera

Despite law enforcement crackdowns on major ransomware groups, new threats continue to emerge, exploiting vulnerabilities in both public and private organizations.

Conclusion: Medusa’s Profit-Driven Operations

Symantec’s research underscores that Medusa’s operations are driven solely by financial motives, with no ideological or moral considerations. The group’s rapid expansion, advanced techniques, and adaptability make it one of the most concerning ransomware threats in the current landscape.

As ransomware attacks continue to evolve, organizations must remain vigilant by:

• Regularly patching vulnerabilities in public-facing applications.

• Implementing strong authentication and monitoring systems to detect suspicious activity.

• Restricting the use of remote administration tools to minimize exploitation risks.

Cybersecurity professionals and businesses must stay proactive in defending against these evolving threats, as Medusa and other ransomware groups show no signs of slowing down.