In a startling surge, Medusa ransomware has claimed over 40 victims within the first two months of 2025, notably including a confirmed attack on a prominent US healthcare organization. This marks an alarming increase compared to the same period in 2024 when there were significantly fewer recorded attacks. According to Symantec’s threat hunting team, this recent uptick almost doubles the number of Medusa-related incidents observed in the previous year. Since its emergence in early 2023, Medusa ransomware has consistently targeted various sectors, listing nearly 400 victims on its data leaks site. However, experts believe the true number of victims is significantly higher, as many organizations choose to pay the ransom without reporting the breach.
Attack Methods and Tactics
Medusa operates as a ransomware-as-a-service (RaaS) orchestrated by a group known as Spearwing. This iteration of Medusa should not be confused with the older MedusaLocker variant. Spearwing employs sophisticated double-extortion tactics, which involve stealing sensitive data before encrypting network files. This tactic compels victims to pay the ransom, fearing the public release of their sensitive information. Spearwing usually gains initial access to networks by exploiting unpatched vulnerabilities in public-facing applications. Frequently, Microsoft’s Exchange Servers are popular targets. Once inside the network, attackers use legitimate tools and sophisticated methods to avoid detection and move laterally within the compromised environment.
Spearwing’s operational toolkit includes remote management software like SimpleHelp or AnyDesk for maintaining persistent access. Tools like PDQ Deploy aid in lateral movement across the network, while techniques such as Bring Your Own Vulnerable Driver (BYOVD) help disable security software. Other utilities like Navicat and RoboCopy are employed for data extraction and exfiltration. Upon executing the ransomware, Medusa adds the .medusa extension to encrypted files and leaves a ransom note titled !READ_ME_MEDUSA!!!.txt. Victims are typically given 10 days to pay the ransom, with the amount increasing by $10,000 each day they seek to extend the deadline.
Impact on Healthcare and Other Victims
In January 2025, one significant attack targeted an unnamed US healthcare organization, affecting hundreds of devices across its network. Attackers reportedly remained active on the network for four days, exhibiting a deliberate strategy to identify valuable data. This attack underscored a trend of increased dwell time, allowing attackers to maximize the value of the data they exfiltrate. Medusa’s capability to delete itself from victim systems post-ransom execution has further complicated investigation efforts, making it exceptionally challenging for cybersecurity teams to trace and study the attack in detail.
Comparitech, a consumer website, reported that out of 959 confirmed ransomware attacks in February 2025, seven targeted healthcare organizations. Medusa was responsible for three of these incidents, including attacks on SimonMed Imaging in the US, Bell Ambulance in Wisconsin, and HCRG Care Group in the UK. Each of these incidents involved varying ransom demands and data theft claims, highlighting Medusa’s adaptability and relentlessness in its operations. The healthcare sector appears particularly vulnerable due to the critical nature of its services and the sensitivity of the data handled, making it a lucrative target for ransomware groups.
Cybersecurity Community’s Response
In response to the dramatic rise of Medusa ransomware attacks, the cybersecurity community has ramped up efforts to counter and mitigate the threats posed by such malicious software. Industry experts emphasize the importance of robust security measures, proactive vulnerability management, and increased awareness among organizations to avoid becoming victims. Collaboration among international cybersecurity teams and law enforcement agencies is also critical in tracking down and dismantling ransomware groups like Spearwing. As the threat of Medusa ransomware continues to grow, it serves as a stark reminder of the ever-evolving landscape of cyber threats and the ongoing need for vigilance and preparedness in defending against them.