- 레이벤 메타가 AI 스마트 안경 시장 열었다··· 2024년 글로벌 시장 210% 성장
- They said I couldn't find a high-quality multitool for under $30 - but this one's a winner
- I compared the viral $50 earplugs with my $300 sleep earbuds - here are the results
- This Android phone that doubles as a projector will make any tech enthusiast smile
- Samsung Galaxy S25 Ultra vs. OnePlus 13: I compared the best Android phones, and it was very close
Medusa Ransomware Claims 40+ Victims in 2025
Medusa ransomware has claimed over 40 victims in the first two months of 2025, including a confirmed attack on a US healthcare organization.
This is almost twice the number of Medusa attacks observed in January and February 2024, according to new analysis by Symantec’s threat hunting team.
In total, Medusa has listed almost 400 victims on its data leaks site since first becoming active in early 2023.
The cybersecurity firm believes the true number of victims is likely much higher. The findings do not account for victims who paid a ransom to stop the stolen information being published.
Ransoms demanded by attackers using the Medusa ransomware have ranged from $100,000 up to $15m.
Medusa’s claimed victims has increased in the past 12 months. The ransomware operators have likely taken advantage of the decline of big name ransomware-as-a-service (RaaS) groups such as BlackCat and LockBit following law enforcement action in 2023 and 2024.
Medusa is believed to be operated as RaaS by a group Symantec tracks as Spearwing.
The current Medusa ransomware is different to the older MedusaLocker variant, which Spearwing is not believed to have any link to.
How Medusa Attackers Operate
Medusa uses double-extortion tactics, stealing victims’ data before encrypting networks in order to increase the pressure on victims to pay a ransom.
The researchers believe that Spearwing and its affiliates usually gain initial access by exploiting unpatched vulnerabilities in public-facing applications, particularly Microsoft Exchange Servers.
They then deploy a variety of living-off-the-land and legitimate tools to evade detection, achieve lateral movement and exfiltrate data before encrypting systems.
These include:
- Remote management and monitoring (RMM) software such as SimpleHelp or AnyDesk to download drivers
- The RMM PDQ Deploy to drop other tools and move laterally across the victim network
- Use of the Bring Your Own Vulnerable Driver (BYOVD) technique, in which attackers deploy a signed vulnerable driver to the target network, which they then exploit to disable security software and evade detection
- Tools used to search for and copy relevant data for exfiltration, such as Navicat and RoboCopy
Once the ransomware is executed, the .medusa extension is added to encrypted files and a ransom note named !READ_ME_MEDUSA!!!.txt is dropped on encrypted machines.
The ransom amount demanded varies depending on the victims, who are given 10 days to pay and are charged $10,000 per day if they want to extend this deadline.
Medusa can also delete itself from victim machines once the ransom is executed, making it harder for investigators to determine the source of the attack.
The Symantec researchers said the Medusa TTPs have remained consistent since early 2023. This suggests that Spearwing works with a small number of affiliates and provides them with a playbook as to how the attacks should be carried out and the attack chain to use.
Medusa Ransomware Attacks on Healthcare
Symantec highlighted a Medusa attack on an unnamed US healthcare organization in January 2025, which infected hundreds of machines.
The attacker activity first occurred on the network four days before the ransomware was deployed, highlighting the trend of increased dwell time in victim networks to identify data of value to exfiltrate.
The researchers found indications of “hands-on-keyboard activity” rather than it being an automated attack.
In a new analysis, consumer website Comparitech reported seven of the 959 confirmed ransomware attacks in February impacted healthcare.
Comparitech found that Medusa was responsible for three of the seven healthcare attacks, two in the US and one in the UK.
- SimonMed Imaging – Medusa claimed on its site that it stole 2013 GB of data from the medical imaging provider. However, the US firm said it had “interrupted” the attackers and no data was encrypted
- Bell Ambulance – the Wisconsin-based ambulance provider notified employees of an attack in mid-February. Medusa claimed it had issued a $400,000 ransom demand to the firm for the 212 GB it had stolen
- HCRG Care Group – The independent UK care group confirmed it had suffered a ransomware attack. Medusa claimed to have issued a $2m ransom demand after the alleged theft of nearly 2.3 TB of data
