{
	"id": "f62a44fa-f0f9-4e26-abba-acb18f9b64f0",
	"created_at": "2026-04-06T00:07:30.457065Z",
	"updated_at": "2026-04-10T13:12:34.733839Z",
	"deleted_at": null,
	"sha1_hash": "049f9103a6840ac7135dac8a7d4f555c285639ab",
	"title": "Medusa Ransomware Activity Continues to Increase",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 70136,
	"plain_text": "Medusa Ransomware Activity Continues to Increase\r\nBy About the Author\r\nArchived: 2026-04-05 13:36:26 UTC\r\nMedusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to\r\nescalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two\r\nmonths of 2024. \r\nThe Medusa ransomware is reportedly operated as a ransomware-as-a-service (RaaS) by a group Symantec’s\r\nThreat Hunter Team tracks as Spearwing. Like the majority of ransomware operators, Spearwing and its affiliates\r\ncarry out double extortion attacks, stealing victims’ data before encrypting networks in order to increase the\r\npressure on victims to pay a ransom. If victims refuse to pay, the group threatens to publish the stolen data on their\r\ndata leaks site.\r\nSpearwing has amassed hundreds of victims since it first became active in early 2023. The group has listed almost\r\n400 victims on its data leaks site in that time, and the true number of victims is likely to be much higher. Ransoms\r\ndemanded by attackers using the Medusa ransomware have ranged from $100,000 up to $15 million. \r\nAs we discussed in our recent Threat Hunter whitepaper on the topic of ransomware, the decline of well-known\r\nnames like Noberus and LockBit following law enforcement action in 2023 and 2024 left a gap for the rise of new\r\nnames on the ransomware landscape. Among those names are RansomHub and the longer established Qilin. With\r\nits continuing increase in activity, it seems that Medusa could also be taking advantage of this gap in the\r\nransomware scene. \r\nThis is a different ransomware to the older MedusaLocker ransomware and Spearwing is not believed to have any\r\nlink to that ransomware.\r\nMedusa in Operation\r\nIt is believed that Spearwing and its affiliates mostly gain access to victim networks by exploiting unpatched\r\nvulnerabilities in public-facing applications, particularly Microsoft Exchange Servers. It has also been reported\r\nthat the group has gained access to some victims by hijacking legitimate accounts, possibly utilizing initial access\r\nbrokers for infiltration. In several of the Medusa attacks observed by Symantec it wasn’t possible to definitively\r\ndetermine how the attackers had gained initial access to victims’ networks, meaning an infection vector other than\r\nexploits could have been used.\r\nA variety of living-off-the-land and dual-use tools have been used in attack chains where the Medusa ransomware\r\nhas been deployed.\r\nOnce they have gained access to a victim network, attackers using Medusa typically use remote management and\r\nmonitoring (RMM) software such as SimpleHelp or AnyDesk for further access and to download drivers. Mesh\r\nhttps://www.security.com/threat-intelligence/medusa-ransomware-attacks\r\nPage 1 of 5\n\nAgent is another remote access tool that has been seen in several Medusa ransomware attacks. Mesh Agent has\r\nbeen appearing more frequently in ransomware attack chains in recent times.\r\nAttackers using Medusa often use the Bring Your Own Vulnerable Driver (BYOVD) technique in attacks, where\r\nattackers will deploy a signed vulnerable driver to the target network, which they then exploit to disable security\r\nsoftware and evade detection. BYOVD is a technique that has been increasingly used in ransomware attack chains\r\nover the last two years. In almost all Medusa attacks, KillAV and associated vulnerable drivers are used in this part\r\nof the attack chain to download drivers and disable security software.\r\nThe use of the legitimate RMM software PDQ Deploy is another hallmark of Medusa ransomware attacks. It is\r\ntypically used by the attackers to drop other tools and files and to move laterally across the victim network.  \r\nSymantec researchers observed the same file path being used with PDQ Deploy to deploy Medusa in almost two-thirds of the Medusa ransomware attacks we investigated in the last year (see Box 1).\r\nOther tools used by Spearwing and its affiliates include Navicat, a tool used to access and run database queries,\r\nwhich is likely used by the attackers to search for and copy relevant data for exfiltration. RoboCopy is another\r\ntool that has been used by Medusa attackers in a similar fashion, while attackers using Medusa have also been\r\nseen using Rclone for data exfiltration. Attackers have also commonly used network scanners like NetScan as part\r\nof their attack chain, while they have also used various tools for credential dumping and to delete shadow copies\r\nfrom victim machines.\r\nThe tactics, techniques, and procedures (TTPs) used by attackers deploying Medusa have remained consistent\r\nsince it became active in 2023, with PDQ Deploy, the use of remote access clients, and the BYOVD technique to\r\ndisable security software being particular hallmarks of Medusa ransomware attack chains. The consistency of the\r\nTTPs used in Medusa attacks does raise the question as to whether Spearwing is truly operating as a RaaS. The\r\nconsistency of the tactics may indicate a few things:\r\n1. The group is carrying out attacks itself as well as developing the ransomware.\r\n2. The group works with just one or a very small number of affiliates.\r\n3. Spearwing provides affiliates with not just the ransomware, but also a playbook as to how the attacks\r\nshould be carried out and the attack chain to use.\r\nIt is difficult to say which one of the above might apply to Spearwing’s activity, but it seems that the group doesn’t\r\nnecessarily operate as a “typical” RaaS that works with a lot of affiliates who may use varying TTPs. \r\nSee below for brief descriptions of some of the tools most used in Medusa attacks:\r\nAnyDesk: A legitimate remote desktop application. It and similar tools are often used by attackers to\r\nobtain remote access to computers on a network.\r\nKillAVDriver: A driver file used to help terminate security processes.\r\nKillAV: Used to deploy a kernel driver for terminating security processes.\r\nMesh Agent: Publicly available software that allows remote device access and management.\r\nNavicat: Legitimate graphical database management and development software.\r\nNetScan: SoftPerfect Network Scanner (netscan.exe), a publicly available tool used for the discovery of\r\nhost names and network services.\r\nhttps://www.security.com/threat-intelligence/medusa-ransomware-attacks\r\nPage 2 of 5\n\nPDQ Deploy: A legitimate software tool that allows users to manage patching on multiple software\r\npackages in addition to deploying custom scripts.\r\nPDQ Inventory: A legitimate software tool that allows users to inventory software on network machines.\r\nSimpleHelp: Remote desktop software that provides remote access and control of a device.\r\nRclone: Open-source tool that can legitimately be used to manage content in the cloud, but has been seen\r\nbeing abused by ransomware actors to exfiltrate data from victim machines.\r\nRobocopy: A command-line file transfer utility for Microsoft Windows.\r\nThe .medusa extension is added to encrypted files and a ransom note named !READ_ME_MEDUSA!!!.txt is\r\ndropped on encrypted machines. Medusa can also delete itself from victim machines once the ransom is executed,\r\nwhich makes it more difficult for those investigating these ransomware attacks. The ransom demanded by the\r\ngroup varies depending on the victims. Victims are given 10 days to pay and are charged $10,000 per day if they\r\nwant to extend this deadline. The attackers provide screenshots of stolen data to prove that they have\r\ncompromised victims' networks. If victims fail to pay, Spearwing will publish the stolen data on its leaks site. \r\nWhile there is no link between Medusa and MedusaLocker, in a relatively early Medusa attack, in June 2023,\r\nattackers deploying Medusa used drivers that were related to ones previously used in a BlackCat (aka Noberus)\r\nattack described by Trend Micro. It wasn’t clear if those drivers were publicly available, or if these two instances\r\npointed to a sharing of tools or affiliates by Medusa and BlackCat. No further evidence has appeared to suggest\r\nlinks between the two groups, though it is possible that they may have affiliates or members in common.\r\nLike most targeted ransomware groups, Spearwing tends to attack large organizations across a range of sectors.\r\nRansomware groups tend to be driven purely by profit, and not by any ideological or moral considerations.\r\nMedusa has been publicly documented as demanding ransoms from healthcare providers and non-profits, as well\r\nas targeting financial and government organizations.\r\nCase Study: Medusa Attack\r\nIn an attack investigated by Symantec’s Threat Hunter team in January 2025, Medusa was used to target a\r\nhealthcare organization in the U.S., where it infected several hundred machines.\r\nThe initial access vector used in this attack is not known. The first attacker activity occurred on this network four\r\ndays before the ransomware was deployed. Once the attacker was on the victim network they staged multiple tools\r\nfor persistence, lateral movement, and to impair defenses. Most of the tools were staged under the\r\nCSIDL_PROFILE\\documents folder.\r\nSome of the early attacker activity on this network included:\r\nExecuting VSS admin to create shadow copies:\r\nvssadmin create shadow /for=C:\r\nAccessing ntds.dit for credential dumping.\r\nInstalling SimpleHelp and Mesh Agent onto victim machines:\r\nhttps://www.security.com/threat-intelligence/medusa-ransomware-attacks\r\nPage 3 of 5\n\nCSIDL_PROFILE\\documents\\mesh.exe -fullinstall\r\nCSIDL_PROFILE\\documents\\SN.exe\r\nDropping AVKiller and a driver under the documents folder on a machine. The attackers used the known\r\nPOORTRY driver, as well as one unknown driver, for the purposes of killing security software during this attack:\r\nCSIDL_PROFILE\\documents\\2Gk8.exe\r\nCSIDL_PROFILE\\documents\\smuot.sys\r\nOn the day of the ransomware attack, Rclone was deployed on the victim network for data exfiltration. The\r\nattackers used a renamed version of Rclone - lsp.exe. Rclone was found under:\r\nCSIDL_SYSTEM_DRIVE\\temp\r\nOn the day the ransomware was deployed, the attacker switched to another machine and started staging tools. The\r\nattacker used PsExec to execute commands on this machine remotely.\r\nIt executed the following commands on this machine:\r\nquser\r\nnet user\r\nCSIDL_SYSTEM\\net1 user \u003c? |comma| ?\u003e default [REDACTED] /domain\r\nThe attacker then dropped and installed SimpleHelp:\r\ncsidl_profile\\documents\\mx.exe\r\nThey then attempted to create a shadow copy of the C drive but used an incorrect command. This is notable as it\r\npoints to hands-on-keyboard activity, rather than this being an automated attack:\r\nvssadmin create dhadow /for=C:\r\nThe attacker then corrected the command and executed again:\r\nvssadmin create shadow /for=C:\r\nThe attacker then dumped the ntds.dit file, before deleting the shadow copy:\r\nvssadmin delete shadows /shadow=\r\nThey then dropped and installed AnyDesk, and used this to download PDQ Deploy and PDQ Inventory onto the\r\nmachine:\r\nCSIDL_PROFILE\\documents\\anydesk.exe\r\nThe attacker then opened an RDP session to another machine, and this is the last activity that occurred on this\r\nmachine.\r\nhttps://www.security.com/threat-intelligence/medusa-ransomware-attacks\r\nPage 4 of 5\n\nOn the other machine, the attacker dropped PDQ Deploy, PDQ Inventory, and SimpleHelp under the same\r\ndirectory, before PDQ Deploy and PDQ Inventory were installed under the programs directory and SimpleHelp\r\nunder the common appdata directory. The attacker used PDQ Inventory to get an inventory of the endpoints on the\r\nnetwork. PDQ Deploy then used this information to deploy the AVKiller binary and driver under the Windows\r\ndirectory to all the endpoints and execute it.\r\nThe attacker then used PDQ Deploy to transfer the ransomware binary and execute it. The ransomware had the\r\nfile name gaze.exe.\r\nThe ransomware didn’t encrypt files with the following extensions:\r\n.dll\r\n.exe\r\n.lnk\r\n.MEDUSA\r\nIt also didn’t encrypt content in the following folders:\r\nWindowsOld\r\nPerflogs\r\nMsocache\r\nProgramFiles\r\nProgramFilesX86\r\nProgramdata\r\nThe ransomware contained an encoded list of the services and processes it wanted to terminate. It used the key\r\n0x2e to decode the strings and use them with net stop \u003cservice\u003e \u0026 taskkill /F /IM \u003cprocess\u003e /T.\r\nThe ransomware dropped its ransom note—!READ_ME_MEDUSA!!!.txt—into every directory it encrypted. The\r\nransomware was then able to delete itself once it was executed.\r\nMedusa has multiple arguments that perform various tasks. The list of accepted arguments for the ransomware\r\nused in this attack can be seen in Box 2.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nIf an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.\r\nSource: https://www.security.com/threat-intelligence/medusa-ransomware-attacks\r\nhttps://www.security.com/threat-intelligence/medusa-ransomware-attacks\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.security.com/threat-intelligence/medusa-ransomware-attacks"
	],
	"report_names": [
		"medusa-ransomware-attacks"
	],
	"threat_actors": [
		{
			"id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312",
			"created_at": "2024-06-07T02:00:03.998431Z",
			"updated_at": "2026-04-10T02:00:03.64336Z",
			"deleted_at": null,
			"main_name": "RansomHub",
			"aliases": [],
			"source_name": "MISPGALAXY:RansomHub",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434050,
	"ts_updated_at": 1775826754,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/049f9103a6840ac7135dac8a7d4f555c285639ab.pdf",
		"text": "https://archive.orkl.eu/049f9103a6840ac7135dac8a7d4f555c285639ab.txt",
		"img": "https://archive.orkl.eu/049f9103a6840ac7135dac8a7d4f555c285639ab.jpg"
	}
}