Medusa Ransomware Claims 40+ Victims in 2025, Confirmed Healthcare Attacks
Summary:
Medusa ransomware, a Ransomware-as-a-Service (RaaS) operation tracked as Spearwing by Symantec, has demonstrated a significant surge in activity since its emergence in early 2023. Claiming nearly 400 victims, the group has seen a 42% increase in attacks between 2023 and 2024, with over 40 attacks reported in the first two months of 2025 alone. Employing double extortion tactics, Medusa exfiltrates data before encrypting networks, demanding ransoms ranging from $100,000 to $15 million. In some of the recent attacks, Symantec was unable to definitively determine their initial access vector. Medusa’s usual attack vectors include exploiting known unpatched vulnerabilities in public-facing applications like Microsoft Exchange Server, utilizing initial access brokers, and leveraging legitimate RMM software like SimpleHelp and AnyDesk for persistence and lateral movement within the victim network. They also use tools like KillAV, Navicat, RoboCopy, and Rclone for disabling antivirus processes, accessing saved connection credentials, and data exfiltration. Medusa targets large organizations across various sectors, driven primarily by financial gain. However, in recent 2025 activity, Medusa ransomware infected several hundred machines of a US healthcare organization.
Security Officer Comments:
The swift proliferation of Medusa ransomware since its inception, amidst the decline of well-known names like BlackCat and LockBit, underscores the dynamic and opportunistic nature of the cybercriminal ransomware community. The observed 42% increase in attacks in 2024 highlights the group's growing efficiency and adaptability as they continue to substantially increase activity in 2025. Their reliance on well-established tactics, such as exploiting known vulnerabilities for opportunistic attacks, utilizing legitimate RMM tools for malicious purposes, and employing double extortion tactics demonstrates an effective approach to maximizing the ransomware’s impact. The adoption of KillAV, a tool associated with BlackCat in the past, suggests a degree of knowledge sharing or adaptation among ransomware actors to incorporate still-effective tools. The trend of targeting diverse large organizations carrying a plethora of sensitive information, including in critical sectors like healthcare and government, reinforces the financially motivated nature of these attacks. The continuous emergence of new RaaS operations signifies evolving affiliate programs as the threat landscape changes. Organizations must prioritize robust vulnerability management, implement multi-factor authentication, and enhance network segmentation to mitigate successful intrusions performed by these increasingly sophisticated and aggressive ransomware groups. Threat hunting is also critical for proactively mitigating threats and minimizing the potential damage from similar ransomware attacks.
Suggested Corrections:
IOCs are available here.
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://www.infosecurity-magazine.com/news/medusa-claims-victims-2025/
https://www.security.com/threat-intelligence/medusa-ransomware-attacks
Medusa ransomware, a Ransomware-as-a-Service (RaaS) operation tracked as Spearwing by Symantec, has demonstrated a significant surge in activity since its emergence in early 2023. Claiming nearly 400 victims, the group has seen a 42% increase in attacks between 2023 and 2024, with over 40 attacks reported in the first two months of 2025 alone. Employing double extortion tactics, Medusa exfiltrates data before encrypting networks, demanding ransoms ranging from $100,000 to $15 million. In some of the recent attacks, Symantec was unable to definitively determine their initial access vector. Medusa’s usual attack vectors include exploiting known unpatched vulnerabilities in public-facing applications like Microsoft Exchange Server, utilizing initial access brokers, and leveraging legitimate RMM software like SimpleHelp and AnyDesk for persistence and lateral movement within the victim network. They also use tools like KillAV, Navicat, RoboCopy, and Rclone for disabling antivirus processes, accessing saved connection credentials, and data exfiltration. Medusa targets large organizations across various sectors, driven primarily by financial gain. However, in recent 2025 activity, Medusa ransomware infected several hundred machines of a US healthcare organization.
Security Officer Comments:
The swift proliferation of Medusa ransomware since its inception, amidst the decline of well-known names like BlackCat and LockBit, underscores the dynamic and opportunistic nature of the cybercriminal ransomware community. The observed 42% increase in attacks in 2024 highlights the group's growing efficiency and adaptability as they continue to substantially increase activity in 2025. Their reliance on well-established tactics, such as exploiting known vulnerabilities for opportunistic attacks, utilizing legitimate RMM tools for malicious purposes, and employing double extortion tactics demonstrates an effective approach to maximizing the ransomware’s impact. The adoption of KillAV, a tool associated with BlackCat in the past, suggests a degree of knowledge sharing or adaptation among ransomware actors to incorporate still-effective tools. The trend of targeting diverse large organizations carrying a plethora of sensitive information, including in critical sectors like healthcare and government, reinforces the financially motivated nature of these attacks. The continuous emergence of new RaaS operations signifies evolving affiliate programs as the threat landscape changes. Organizations must prioritize robust vulnerability management, implement multi-factor authentication, and enhance network segmentation to mitigate successful intrusions performed by these increasingly sophisticated and aggressive ransomware groups. Threat hunting is also critical for proactively mitigating threats and minimizing the potential damage from similar ransomware attacks.
Suggested Corrections:
IOCs are available here.
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://www.infosecurity-magazine.com/news/medusa-claims-victims-2025/
https://www.security.com/threat-intelligence/medusa-ransomware-attacks