Recent findings from Symantec indicate a significant rise in Medusa ransomware activity, which is reportedly being operated as a ransomware-as-a-service (RaaS) by a group identified by Symantec’s Threat Hunter Team as Spearwing. The attacks employing this ransomware have demonstrated consistent tactics, techniques, and procedures (TTPs), with a steady increase observed since 2023.
The data disclosed that Medusa ransomware attacks surged 42 percent between 2023 and 2024. This upward trend continues, with nearly double the number of Medusa attacks recorded in January and February 2025 compared to the same period in 2024. In the first two months of 2025, the group has already claimed over 40 attacks.
“Like the majority of ransomware operators, Spearwing and its affiliates carry out double extortion attacks, stealing victims’ data before encrypting networks in order to increase the pressure on victims to pay a ransom. If victims refuse to pay, the group threatens to publish the stolen data on their data leaks site,” Symantec researchers detailed in a Thursday post. “Spearwing has amassed hundreds of victims since it first became active in early 2023. The group has listed almost 400 victims on its data leaks site in that time, and the true number of victims is likely to be much higher. Ransoms demanded by attackers using the Medusa ransomware have ranged from $100,000 up to $15 million.”
Symantec reported a decline of well-known names like Noberus and LockBit following law enforcement action in 2023 and 2024, which left a gap for the rise of new names on the ransomware landscape. “Among those names are RansomHub and the longer established Qilin. With its continuing increase in activity, it seems that Medusa could also be taking advantage of this gap in the ransomware scene. This is a different ransomware to the older MedusaLocker ransomware, and Spearwing is not believed to have any link to that ransomware,” it added.
They revealed that, like most targeted ransomware groups, Spearwing tends to attack large organizations across various sectors. Ransomware groups tend to be driven purely by profit and not by any ideological or moral considerations. Medusa has been publicly documented as demanding ransoms from healthcare providers and non-profits, as well as targeting financial and government organizations.
Data released by BlackFog in February showed that the financially motivated group Medusa accounted for 5 percent, with ransom demands exceeding $40 million. Medusa’s dark web posts provided a bit of insight into this ransomware group, with ransom demands appearing on the majority of claims. In 2024, ransom demands by the group exceeded $40 million, with over 26 percent of their disclosed attacks demanding a ransom of over $1 million.
The researchers believed that Spearwing and its affiliates mostly gain access to victim networks by exploiting unpatched vulnerabilities in public-facing applications, particularly Microsoft Exchange Servers. At times, the group has gained access to some victims by hijacking legitimate accounts, possibly utilizing initial access brokers for infiltration. In several of the Medusa attacks observed by Symantec, it wasn’t possible to definitively determine how the attackers had gained initial access to victims’ networks, meaning an infection vector other than exploits could have been used.
Various living-off-the-land and dual-use tools have been used in attack chains where the Medusa ransomware has been deployed.
“Once they have gained access to a victim network, attackers using Medusa typically use remote management and monitoring (RMM) software such as SimpleHelp or AnyDesk for further access and to download drivers,” Symantec said. “Mesh Agent is another remote access tool that has been seen in several Medusa ransomware attacks. Mesh Agent has been appearing more frequently in ransomware attack chains in recent times.”
Attackers using Medusa often use the ‘Bring Your Own Vulnerable Driver’ (BYOVD) technique in attacks, where attackers will deploy a signed vulnerable driver to the target network, which they then exploit to disable security software and evade detection. BYOVD is a technique that has been increasingly used in ransomware attack chains over the last two years. In almost all Medusa attacks, KillAV and associated vulnerable drivers are used in this part of the attack chain to download drivers and disable security software.
Using the legitimate RMM software PDQ Deploy is another hallmark of Medusa ransomware attacks. It is typically used by the attackers to drop other tools and files and to move laterally across the victim network.
Other tools used by Spearwing and its affiliates include Navicat, a tool used to access and run database queries, which is likely used by the attackers to search for and copy relevant data for exfiltration. RoboCopy is another tool that has been similarly used by Medusa attackers, while attackers using Medusa have also been seen using Rclone for data exfiltration. Attackers have also commonly used network scanners like NetScan as part of their attack chain. At the same time, they have also used various tools for credential dumping and to delete shadow copies from victim machines.
The tactics, techniques, and procedures (TTPs) used by attackers deploying Medusa have remained consistent since it became active in 2023, with PDQ Deploy, the use of remote access clients, and the BYOVD technique to disable security software being particular hallmarks of Medusa ransomware attack chains. The consistency of the TTPs used in the Medusa attacks raises the question of whether Spearwing is truly operating as a RaaS.
The researchers emphasized that the consistent tactics suggest the group is executing the attacks and developing the ransomware. The group collaborates with just one or a minimal number of affiliates. Spearwing supplies these affiliates with the ransomware and a detailed playbook outlining how the attacks should be conducted and the specific attack chain to follow.
“While there is no link between Medusa and MedusaLocker, in a relatively early Medusa attack in June 2023, attackers deploying Medusa used drivers that were related to ones previously used in a BlackCat (aka Noberus) attack described by Trend Micro,” the researchers noted. “It wasn’t clear if those drivers were publicly available or if these two instances pointed to a sharing of tools or affiliates by Medusa and BlackCat. No further evidence has appeared to suggest links between the two groups, though it is possible that they may have affiliates or members in common.”
