Medusa Ransomware Surges, Targeting Critical Infrastructure with Double Extortion Tactics
The Medusa ransomware operation, tracked by Symantec as Spearwing, has claimed nearly 400 victims since its emergence in January 2023, with attacks rising 42% between 2023 and 2024. In the first two months of 2025 alone, the group has attributed over 40 incidents, signaling an aggressive expansion amid the disruption of other major ransomware-as-a-service (RaaS) players like LockBit and BlackCat.
Medusa employs double extortion, stealing sensitive data before encrypting networks to pressure victims into paying ransoms ranging from $100,000 to $15 million. Targets span healthcare, financial services, government, education, legal, and manufacturing sectors many within critical infrastructure. If victims refuse to pay, the group threatens to leak stolen data via its dedicated leak site.
Attack Methods & Tools
Medusa’s intrusion chains often begin with exploiting known vulnerabilities in public-facing applications, particularly Microsoft Exchange Server, or through initial access brokers. Once inside, attackers deploy remote management tools like SimpleHelp, AnyDesk, and MeshAgent for persistence, alongside the Bring Your Own Vulnerable Driver (BYOVD) technique to disable antivirus software using KillAV a tactic previously seen in BlackCat attacks.
Other tools in Medusa’s arsenal include:
- PDQ Deploy for lateral movement and payload delivery
- Navicat for database access
- RoboCopy and Rclone for data exfiltration
- Advanced IP Scanner and SoftPerfect Network Scanner for reconnaissance
- Ligolo and Cloudflared for command-and-control (C2) evasion
The group also employs living-off-the-land (LotL) techniques, such as PowerShell commands (Base64-encoded to avoid detection) and Mimikatz for credential theft, alongside legitimate remote access tools like ConnectWise and PsExec to move undetected.
Evasion & Triple Extortion Risks
Medusa actors take steps to evade detection, including deleting PowerShell command histories and terminating endpoint detection and response (EDR) tools. In at least one case, a victim who paid the ransom was later contacted by a separate Medusa affiliate, who claimed the original negotiator had stolen the funds and demanded an additional payment suggesting a potential triple extortion scheme.
CISA Advisory & Historical Context
A joint advisory from CISA, the FBI, and MS-ISAC, released on March 12, 2025, revealed that Medusa has compromised over 300 critical infrastructure victims as of December 2024. The group, unrelated to MedusaLocker or the Medusa mobile malware, first appeared in June 2021 as a closed ransomware variant before shifting to an affiliate-based model. While affiliates execute attacks, core developers retain control over ransom negotiations.
Recent campaigns have exploited vulnerabilities in ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet EMS (CVE-2023-48788). Despite the RaaS landscape’s volatility with new groups like Anubis, LCRYX, and Xelera emerging Medusa has established itself as a persistent threat, ranking among the top ransomware actors in late 2024.
Source: https://thehackernews.com/2025/03/medusa-ransomware-hits-40-victims-in.html
Cybersecurity and Infrastructure Security Agency cybersecurity rating report: https://www.rankiteo.com/company/cisagov
Symantec cybersecurity rating report: https://www.rankiteo.com/company/symantec
Federal Bureau of Investigation (FBI) cybersecurity rating report: https://www.rankiteo.com/company/fbi
Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet
"id": "CISSYMFBIFOR1768715192",
"linkid": "cisagov, symantec, fbi, fortinet",
"type": "Cyber Attack",
"date": "6/2021",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': ['Critical infrastructure'],
'type': ['Healthcare',
'Financial services',
'Government',
'Education',
'Legal',
'Manufacturing']}],
'attack_vector': ['Exploiting known vulnerabilities in public-facing '
'applications',
'Initial access brokers'],
'data_breach': {'data_encryption': True,
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Sensitive data (including '
'personally identifiable '
'information)'},
'date_publicly_disclosed': '2025-03-12',
'description': 'The Medusa ransomware operation, tracked by Symantec as '
'*Spearwing*, has claimed nearly 400 victims since its '
'emergence in January 2023, with attacks rising 42% between '
'2023 and 2024. The group employs double extortion, stealing '
'sensitive data before encrypting networks to pressure victims '
'into paying ransoms. Targets span healthcare, financial '
'services, government, education, legal, and manufacturing '
'sectors, many within critical infrastructure. Medusa uses a '
'variety of tools and techniques for intrusion, evasion, and '
'data exfiltration, including exploiting vulnerabilities in '
'public-facing applications and employing living-off-the-land '
'(LotL) techniques.',
'impact': {'data_compromised': 'Sensitive data stolen before encryption',
'financial_loss': 'Ransoms ranging from $100,000 to $15 million',
'identity_theft_risk': 'High (due to data exfiltration)'},
'initial_access_broker': {'entry_point': ['Exploiting vulnerabilities in '
'public-facing applications',
'Initial access brokers']},
'motivation': ['Financial gain', 'Data extortion'],
'post_incident_analysis': {'root_causes': ['Exploitation of known '
'vulnerabilities',
'Use of remote management tools '
'for persistence',
'Living-off-the-land techniques']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransom_demanded': '$100,000 to $15 million',
'ransomware_strain': 'Medusa (Spearwing)'},
'references': [{'date_accessed': '2025-03-12',
'source': 'CISA, FBI, MS-ISAC Joint Advisory'},
{'source': 'Symantec (Spearwing tracking)'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA',
'FBI',
'MS-ISAC']},
'threat_actor': 'Medusa (Spearwing)',
'title': 'Medusa Ransomware Surges, Targeting Critical Infrastructure with '
'Double Extortion Tactics',
'type': 'Ransomware',
'vulnerability_exploited': ['Microsoft Exchange Server',
'ConnectWise ScreenConnect (CVE-2024-1709)',
'Fortinet EMS (CVE-2023-48788)']}