The steady rise in Medusa ransomware attacks has been a cause for concern in the cybersecurity community, with the number of incidents doubling in the first two months of 2025 compared to the same period last year, according to a report by Symantec.
First observed in early 2023, Medusa operates as a ransomware-as-a-service model, with its affiliates targeting organizations in various sectors such as healthcare, manufacturing, education, and more. These attacks have been widespread, spanning across countries like the US, Australia, Israel, India, Portugal, the UK, UAE, and others.
The ransomware group, known as Spearwing and Storm-1175, employs double-extortion tactics by stealing victims’ data and threatening to release it unless a ransom is paid. They have listed approximately 400 victims on their Tor-based leak site and have demanded ransom payments ranging from $100,000 to $15 million.
Symantec’s research indicates that the number of Medusa ransomware attacks grew by 42% between 2023 and 2024, and the trend is continuing to rise. As law enforcement cracks down on other notorious ransomware gangs like BlackCat and LockBit, Medusa has seized the opportunity to fill the void, along with groups like RansomHub and Qilin.
The affiliates of Medusa have been exploiting unpatched vulnerabilities in internet-facing appliances, particularly targeting Microsoft Exchange Server. Additionally, they have been observed targeting vulnerabilities in VMware ESXi and Mirth Connect software. In some cases, the hackers have used legitimate accounts to gain access to networks, possibly through “initial access brokers for infiltration.”
Once inside a network, the attackers leverage various tools for remote access and lateral movement, including AnyDesk, Mesh Agent, PDQ Deploy, SimpleHelp remote access tools, and others. They manipulate vulnerable drivers to disable security tools, exfiltrate data, and delete shadow copies.
Symantec notes that the Medusa ransomware group develops the ransomware itself and carries out many of the attacks directly. They have a small number of affiliates whom they provide with the ransomware and an attack playbook. After a successful attack, the victim’s files are encrypted with the .medusa extension, and a ransom note is left behind.
Recently, in January 2025, Medusa targeted a US healthcare organization, remaining undetected in the network for four days before deploying file-encrypting ransomware. Based on the commands executed, Symantec believes it was a hands-on-keyboard attack rather than automated.
As threats from ransomware groups like Medusa continue to evolve, it is crucial for organizations to ensure their systems are up to date, patches are applied promptly, and strong security measures are in place to protect against potential cyberattacks.