Medusa Ransomware Surges: Over 40 Attacks in Two Months, Healthcare Hit

Article Highlights
Off On

In a startling surge, Medusa ransomware has claimed over 40 victims within the first two months of 2025, notably including a confirmed attack on a prominent US healthcare organization. This marks an alarming increase compared to the same period in 2024 when there were significantly fewer recorded attacks. According to Symantec’s threat hunting team, this recent uptick almost doubles the number of Medusa-related incidents observed in the previous year. Since its emergence in early 2023, Medusa ransomware has consistently targeted various sectors, listing nearly 400 victims on its data leaks site. However, experts believe the true number of victims is significantly higher, as many organizations choose to pay the ransom without reporting the breach.

Attack Methods and Tactics

Medusa operates as a ransomware-as-a-service (RaaS) orchestrated by a group known as Spearwing. This iteration of Medusa should not be confused with the older MedusaLocker variant. Spearwing employs sophisticated double-extortion tactics, which involve stealing sensitive data before encrypting network files. This tactic compels victims to pay the ransom, fearing the public release of their sensitive information. Spearwing usually gains initial access to networks by exploiting unpatched vulnerabilities in public-facing applications. Frequently, Microsoft’s Exchange Servers are popular targets. Once inside the network, attackers use legitimate tools and sophisticated methods to avoid detection and move laterally within the compromised environment.

Spearwing’s operational toolkit includes remote management software like SimpleHelp or AnyDesk for maintaining persistent access. Tools like PDQ Deploy aid in lateral movement across the network, while techniques such as Bring Your Own Vulnerable Driver (BYOVD) help disable security software. Other utilities like Navicat and RoboCopy are employed for data extraction and exfiltration. Upon executing the ransomware, Medusa adds the .medusa extension to encrypted files and leaves a ransom note titled !READ_ME_MEDUSA!!!.txt. Victims are typically given 10 days to pay the ransom, with the amount increasing by $10,000 each day they seek to extend the deadline.

Impact on Healthcare and Other Victims

In January 2025, one significant attack targeted an unnamed US healthcare organization, affecting hundreds of devices across its network. Attackers reportedly remained active on the network for four days, exhibiting a deliberate strategy to identify valuable data. This attack underscored a trend of increased dwell time, allowing attackers to maximize the value of the data they exfiltrate. Medusa’s capability to delete itself from victim systems post-ransom execution has further complicated investigation efforts, making it exceptionally challenging for cybersecurity teams to trace and study the attack in detail.

Comparitech, a consumer website, reported that out of 959 confirmed ransomware attacks in February 2025, seven targeted healthcare organizations. Medusa was responsible for three of these incidents, including attacks on SimonMed Imaging in the US, Bell Ambulance in Wisconsin, and HCRG Care Group in the UK. Each of these incidents involved varying ransom demands and data theft claims, highlighting Medusa’s adaptability and relentlessness in its operations. The healthcare sector appears particularly vulnerable due to the critical nature of its services and the sensitivity of the data handled, making it a lucrative target for ransomware groups.

Cybersecurity Community’s Response

In response to the dramatic rise of Medusa ransomware attacks, the cybersecurity community has ramped up efforts to counter and mitigate the threats posed by such malicious software. Industry experts emphasize the importance of robust security measures, proactive vulnerability management, and increased awareness among organizations to avoid becoming victims. Collaboration among international cybersecurity teams and law enforcement agencies is also critical in tracking down and dismantling ransomware groups like Spearwing. As the threat of Medusa ransomware continues to grow, it serves as a stark reminder of the ever-evolving landscape of cyber threats and the ongoing need for vigilance and preparedness in defending against them.

Explore more

Why is LinkedIn the Go-To for B2B Advertising Success?

In an era where digital advertising is fiercely competitive, LinkedIn emerges as a leading platform for B2B marketing success due to its expansive user base and unparalleled targeting capabilities. With over a billion users, LinkedIn provides marketers with a unique avenue to reach decision-makers and generate high-quality leads. The platform allows for strategic communication with key industry figures, a crucial

Endpoint Threat Protection Market Set for Strong Growth by 2034

As cyber threats proliferate at an unprecedented pace, the Endpoint Threat Protection market emerges as a pivotal component in the global cybersecurity fortress. By the close of 2034, experts forecast a monumental rise in the market’s valuation to approximately US$ 38 billion, up from an estimated US$ 17.42 billion. This analysis illuminates the underlying forces propelling this growth, evaluates economic

How Will ICP’s Solana Integration Transform DeFi and Web3?

The collaboration between the Internet Computer Protocol (ICP) and Solana is poised to redefine the landscape of decentralized finance (DeFi) and Web3. Announced by the DFINITY Foundation, this integration marks a pivotal step in advancing cross-chain interoperability. It follows the footsteps of previous successful integrations with Bitcoin and Ethereum, setting new standards in transactional speed, security, and user experience. Through

Embedded Finance Ecosystem – A Review

In the dynamic landscape of fintech, a remarkable shift is underway. Embedded finance is taking the stage as a transformative force, marking a significant departure from traditional financial paradigms. This evolution allows financial services such as payments, credit, and insurance to seamlessly integrate into non-financial platforms, unlocking new avenues for service delivery and consumer interaction. This review delves into the

Certificial Launches Innovative Vendor Management Program

In an era where real-time data is paramount, Certificial has unveiled its groundbreaking Vendor Management Partner Program. This initiative seeks to transform the cumbersome and often error-prone process of insurance data sharing and verification. As a leader in the Certificate of Insurance (COI) arena, Certificial’s Smart COI Network™ has become a pivotal tool for industries relying on timely insurance verification.