Medusa Ransomware Surges: Over 40 Attacks in Two Months, Healthcare Hit

Article Highlights
Off On

In a startling surge, Medusa ransomware has claimed over 40 victims within the first two months of 2025, notably including a confirmed attack on a prominent US healthcare organization. This marks an alarming increase compared to the same period in 2024 when there were significantly fewer recorded attacks. According to Symantec’s threat hunting team, this recent uptick almost doubles the number of Medusa-related incidents observed in the previous year. Since its emergence in early 2023, Medusa ransomware has consistently targeted various sectors, listing nearly 400 victims on its data leaks site. However, experts believe the true number of victims is significantly higher, as many organizations choose to pay the ransom without reporting the breach.

Attack Methods and Tactics

Medusa operates as a ransomware-as-a-service (RaaS) orchestrated by a group known as Spearwing. This iteration of Medusa should not be confused with the older MedusaLocker variant. Spearwing employs sophisticated double-extortion tactics, which involve stealing sensitive data before encrypting network files. This tactic compels victims to pay the ransom, fearing the public release of their sensitive information. Spearwing usually gains initial access to networks by exploiting unpatched vulnerabilities in public-facing applications. Frequently, Microsoft’s Exchange Servers are popular targets. Once inside the network, attackers use legitimate tools and sophisticated methods to avoid detection and move laterally within the compromised environment.

Spearwing’s operational toolkit includes remote management software like SimpleHelp or AnyDesk for maintaining persistent access. Tools like PDQ Deploy aid in lateral movement across the network, while techniques such as Bring Your Own Vulnerable Driver (BYOVD) help disable security software. Other utilities like Navicat and RoboCopy are employed for data extraction and exfiltration. Upon executing the ransomware, Medusa adds the .medusa extension to encrypted files and leaves a ransom note titled !READ_ME_MEDUSA!!!.txt. Victims are typically given 10 days to pay the ransom, with the amount increasing by $10,000 each day they seek to extend the deadline.

Impact on Healthcare and Other Victims

In January 2025, one significant attack targeted an unnamed US healthcare organization, affecting hundreds of devices across its network. Attackers reportedly remained active on the network for four days, exhibiting a deliberate strategy to identify valuable data. This attack underscored a trend of increased dwell time, allowing attackers to maximize the value of the data they exfiltrate. Medusa’s capability to delete itself from victim systems post-ransom execution has further complicated investigation efforts, making it exceptionally challenging for cybersecurity teams to trace and study the attack in detail.

Comparitech, a consumer website, reported that out of 959 confirmed ransomware attacks in February 2025, seven targeted healthcare organizations. Medusa was responsible for three of these incidents, including attacks on SimonMed Imaging in the US, Bell Ambulance in Wisconsin, and HCRG Care Group in the UK. Each of these incidents involved varying ransom demands and data theft claims, highlighting Medusa’s adaptability and relentlessness in its operations. The healthcare sector appears particularly vulnerable due to the critical nature of its services and the sensitivity of the data handled, making it a lucrative target for ransomware groups.

Cybersecurity Community’s Response

In response to the dramatic rise of Medusa ransomware attacks, the cybersecurity community has ramped up efforts to counter and mitigate the threats posed by such malicious software. Industry experts emphasize the importance of robust security measures, proactive vulnerability management, and increased awareness among organizations to avoid becoming victims. Collaboration among international cybersecurity teams and law enforcement agencies is also critical in tracking down and dismantling ransomware groups like Spearwing. As the threat of Medusa ransomware continues to grow, it serves as a stark reminder of the ever-evolving landscape of cyber threats and the ongoing need for vigilance and preparedness in defending against them.

Explore more

Vivo X Fold 6 – Review

The arrival of the Vivo X Fold 6 marks a pivotal moment where foldable devices transcend their status as fragile novelties to become the primary choice for power users. This transition represents a significant advancement in the mobile sector, pushing the boundaries of what a single handset can accomplish. By merging a book-style form factor with the raw performance of

Oppo Reno16 Series – Review

The modern smartphone market has reached a peculiar crossroads where the distinction between mid-range utility and flagship luxury is no longer defined by features but by the audacity of a manufacturer’s pricing strategy. Traditional product cycles often prioritize incremental updates, but this latest iteration signals a departure from conservative engineering. By integrating components usually reserved for the highest echelon of

AI Adoption Fails Without Proper Workforce Readiness

Ling-yi Tsai is a formidable force in the HRTech sector, possessing decades of experience guiding global organizations through the complex labyrinth of digital evolution. Her mastery of HR analytics and her tactical approach to integrating technology across recruitment and talent management have made her a sought-after advisor for companies looking to bridge the gap between human potential and machine efficiency.

The Human Infrastructure Powering Artificial Intelligence

The seamless flicker of a chatbot’s reply or the effortless lane change of a driverless vehicle often masks a vast, invisible network of human cognitive labor that makes such digital grace possible. While the marketing of advanced technology frequently paints a picture of silicon brains evolving in isolation, the underlying reality is a global assembly line of human intelligence. Every

Bruce Clay Leaves a Lasting Legacy as the Father of SEO

The Architect of an Industry and the Importance of Digital Frameworks The digital landscape we navigate today was not born out of thin air but was meticulously shaped by a few visionary thinkers who saw the potential of the internet long before it became a global marketplace. Among these pioneers, Bruce Clay stood as a singular figure whose influence spanned