The threats of the actors standing for Medusa ransomware Almost 400 victims appeared for the first time when financially motivated attacks appeared in January 2023, which observed an increase of 42% from 2023 to 2024.
In the first two months of 2025, the group stated more than 40 attacks, according to the Symantec hunting teams in a report that is shared with Hacker News. Cybersecurity tracks cluster called Spearwing.
“Like most ransom operators, Spearwing and its branches conduct double required attacks by stealing the victims before encryption noted.
“If the victims refuse to pay, the group threatens to publish stolen data on the data leak site.”
While other players (RAAS) such as RansomHub (aka Greenbottle and Cyclops), Play (AKA Balloonfly) and Qilin (AKA, Drymbug and Water Galra) profit Due to the lock and black cat disorders, the spike in jellyfish causes the actor the threat can also seek to fill the gap left by two fruitful ransomware.
Development occurs when the ransomers continues to remain in a condition of the flowwith a permanent flow of new RAAS operations eg Anubis. Slate. Core. Two. Lcryx. Cock. Vgodand Xeleraarising in the wild in recent months.
Medusa has results that require ransom somewhere from 100,000 to $ 15 million from health care workers and non -profit organizations, as well as focus on financial and state organizations.
The attack networks established by the redemption syndicate provides for the operation of well -known security deficiencies in applications facing the public, mainly Microsoft Exchange Server to gain original access. It is also suspected that the threat subjects are likely to use initial brokers to violate interesting networks.
Once gaining a succassive foothold, the Hackers Drop Use Remote Management and Monitoring (RMM) Software Such As Simplehelp, Anydesk, OR MESHAGENT FOR PERSICENT ACCESS, and EMPLY THE TRIED-ADE Vulnerable Driver (BYOVD) Technique to Terminate Antivirus Processes Using Killav. It is worth noting that Killav was previously used in Blackcat Ransomware attacks.
“Using the legitimate RMM Software PDQ Deploy is another feature of Medusa Ransomware attacks,” Symantec said. “Usually it is used by attackers to give up other tools and files and to move to the side of the victims.”
Some of the other tools deployed during the Medusa Ransomware attack include Navicat to access and launch database requests, robocopy and RCLONE for data exploration.
“Like most target ransomware groups, Spearwing seeks to attack large organizations in a number of sectors,” Symantec said. “The ransom group is usually caused solely by profits, not for ideological and moral reasons.”
