Medusa ransomware attacks have surged by 42% between 2023 and 2024, with activity continuing to escalate into 2025.
Almost twice as many Medusa attacks were observed in January and February 2025 compared to the first two months of 2024, indicating a concerning trend in this evolving threat landscape.
The growing prevalence of these attacks can be clearly seen in the data visualization from the Medusa leaks site, which tracks the steadily increasing attack frequency over the past two years.
.png
)
.webp)
Analysts at Symantec noted that the Medusa ransomware is reportedly operated as a ransomware-as-a-service (RaaS) by a group tracked as Spearwing.
Following the pattern of most modern ransomware operators, Spearwing and its affiliates implement double extortion attacks, first stealing victims’ data before encrypting networks to increase pressure on victims to pay ransoms.
Since becoming active in early 2023, Spearwing has accumulated hundreds of victims, with almost 400 organizations listed on their data leaks site, though the actual number is likely much higher.
Ransoms demanded by attackers using the Medusa ransomware have varied widely, ranging from $1,000 up to $15 million, with victims typically given 10 days to pay.
Those seeking deadline extensions are charged an additional $10,000 per day.
The recent decline of well-known ransomware groups like Noberus and LockBit following law enforcement actions in 2023 and 2024 has created opportunities for groups like Medusa to expand their operations and fill the resulting gap in the ransomware ecosystem.
What sets Medusa apart is its consistent attack methodology across victims.
When Medusa operators compromise a network, they typically utilize remote management and monitoring software such as SimpleHelp or AnyDesk to establish access and download additional tools.
In almost all observed Medusa attacks, the operators employ a technique known as Bring Your Own Vulnerable Driver (BYOVD), deploying KillAV and associated vulnerable drivers to disable security software and evade detection.
Attack Chain
Medusa attacks follow a distinctive pattern, with PDQ Deploy being a particularly common tool in their arsenal.
In nearly two-thirds of investigated Medusa ransomware attacks, researchers observed the same file path being used: csidl_windows\adminarsenal\pdqdeployrunner\service-1\exec with the file name gaze.exe.
Other tools frequently deployed include Navicat for database access, RoboCopy for file manipulation, and Rclone for data exfiltration.
The ransomware itself adds the .medusa extension to encrypted files and drops a ransom note named !READ_ME_MEDUSA!!!.txt on affected systems.
The ransomware contains sophisticated capabilities, accepting multiple arguments that perform various tasks, including version display (-V), system folder exclusion (-f), network drive usage (-n), and self-deletion prevention (-d).
What makes Medusa particularly challenging for forensic analysis is its ability to delete itself from victim machines once encryption is complete, complicating investigation efforts into these increasingly prevalent attacks.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
