Medusa Ransomware Activity Surge: A Rising Threat In 2025

Published Date: March 7, 2025
Category: ShadowOpsIntel
Share:

The Medusa ransomware has rapidly emerged as a significant cyber threat, exhibiting a 42% increase in attacks from 2023 to 2024, with activity further doubling in early 2025. This ransomware follows the double extortion model, where attackers steal sensitive data before encrypting victims’ networks, increasing pressure to pay ransom demands that range from $100,000 to $15 million. The decline of major ransomware groups such as Noberus (BlackCat/ALPHV) and LockBit due to law enforcement action has created an opportunity for newer ransomware groups like Medusa to rise.

Severity Level: High

Threat Details

1. Threat Actor: Spearwing:

  • Medusa ransomware is operated as a Ransomware-as-a-Service (RaaS) by a cybercriminal group tracked as Spearwing.
  • The group has amassed hundreds of victims since early 2023, with nearly 400 victims listed on its leak site.
  • Medusa ransomware is distinct from MedusaLocker and has no known affiliations with it.

2. Initial Access:

  • Exploitation of unpatched vulnerabilities in public-facing applications, particularly Microsoft Exchange Servers.
  • Hijacking legitimate user accounts, possibly through Initial Access Brokers (IABs).

3. Execution & Lateral Movement:

  • Attackers deploy RMM software (such as AnyDesk, SimpleHelp, Mesh Agent) for remote access.
  • PDQ Deploy & PDQ Inventory are used for automating lateral movement & tool deployment.

4. Defense Evasion: Bring Your Own Vulnerable Driver (BYOVD) attacks

  • Attackers deploy signed but vulnerable drivers to disable security solutions.
  • KillAV and POORTRY drivers are used to bypass security defenses.

5. Data Exfiltration & Encryption:

  • Uses Rclone, RoboCopy, and Navicat for stealing sensitive data before encrypting systems.
  • Drops ransom note: !READ_ME_MEDUSA!!!.txt on infected machines.
  • Encrypts files with the .medusa extension, but avoids encrypting system-critical files.

6. Ransom Demands:

  • Ransom amounts range from $100,000 to $15 million, depending on the victim.
  • Victims are given 10 days to pay, with an additional $10,000 per day penalty for deadline extensions.
  • If the ransom is not paid, stolen data is published on Medusa’s leak site.

Recommendations

  1. Ensure timely patching of known vulnerabilities, especially in Microsoft Exchange Servers and other exposed services.
  2. Reduce the attack surface by disabling unnecessary RDP, SMB, and legacy protocols.
  3. Block or tightly control the use of AnyDesk, SimpleHelp, PDQ Deploy, and Mesh Agent unless explicitly required.
  4. Prevent execution of known malicious binaries such as:
    csidl_profile\documents\gaze.exe (Medusa ransomware binary)
    csidl_windows\temp\lsp.exe (Rclone for data exfiltration)
    csidl_profile\documents\anydesk.exe (Remote access tool)
  5. Use Microsoft Defender’s Vulnerable Driver Blocklist to mitigate BYOVD (Bring Your Own Vulnerable Driver) attacks.
  6. Disable unnecessary PowerShell execution and monitor for suspicious scripts.
  7. Regularly back up critical data offline and offsite, ensuring air-gapped storage.
  8. Use strong encryption standards to protect against data theft before encryption by attackers.
  9. Use DLP solutions to monitor and restrict unauthorized large-scale file transfers.
  10. Block the IOCs at their respective controls.

Source:

  • https://www.microsoft.com/en-us/security/blog/2025/03/05/silk-typhoon-targeting-it-supply-chain/
  • https://www.security.com/threat-intelligence/medusa-ransomware-attacks

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.