The menace actors behind the Medusa ransomware have claimed almost 400 victims because it first emerged in January 2023, with the financially motivated assaults witnessing a 42% improve between 2023 and 2024.
Within the first two months of 2025 alone, the group has claimed over 40 assaults, in line with knowledge from the Symantec Risk Hunter Crew mentioned in a report shared with The Hacker Information. The cybersecurity firm is monitoring the cluster below the title Spearwing.
“Like the vast majority of ransomware operators, Spearwing and its associates perform double extortion assaults, stealing victims’ knowledge earlier than encrypting networks with the intention to improve the stress on victims to pay a ransom,” Symantec noted.
“If victims refuse to pay, the group threatens to publish the stolen knowledge on their knowledge leaks web site.”
Whereas different ransomware-as-a-service (RaaS) gamers like RansomHub (aka Greenbottle and Cyclops), Play (aka Balloonfly), and Qilin (aka Agenda, Stinkbug, and Water Galura) have benefited from the disruptions of LockBit and BlackCat, the spike in Medusa infections raises the likelihood that the menace actor is also speeding in to fill the hole left by the 2 prolific extortionists.
The event comes because the ransomware panorama continues to be in a state of flux, with a gradual stream of recent RaaS operations, corresponding to Anubis, CipherLocker, Core, Dange, LCRYX, Loches, Vgod, and Xelera, rising within the wild in current months.
Medusa has a monitor report of demanding ransoms anyplace between $100,000 as much as $15 million from healthcare suppliers and non-profits, in addition to concentrating on monetary and authorities organizations.
Assault chains mounted by the ransomware syndicate contain the exploitation of identified safety flaws in public-facing purposes, primarily Microsoft Trade Server, to acquire preliminary entry. It is also suspected that the menace actors are doubtless utilizing preliminary entry brokers for breaching networks of curiosity.
As soon as gaining a profitable foothold, the hackers drop use distant administration and monitoring (RMM) software program corresponding to SimpleHelp, AnyDesk, or MeshAgent for persistent entry, and make use of the tried-and-tested Carry Your Personal Weak Driver (BYOVD) method to terminate antivirus processes utilizing KillAV. It is value declaring that KillAV has been beforehand put to make use of in BlackCat ransomware assaults.
“Using the respectable RMM software program PDQ Deploy is one other hallmark of Medusa ransomware assaults,” Symantec mentioned. “It’s sometimes utilized by the attackers to drop different instruments and recordsdata and to maneuver laterally throughout the sufferer community.”
Among the different instruments deployed over the course of a Medusa ransomware assault embody Navicat to entry and run database queries, RoboCopy, and Rclone for knowledge exfiltration.
“Like most focused ransomware teams, Spearwing tends to assault giant organizations throughout a spread of sectors,” Symantec mentioned. “Ransomware teams are typically pushed purely by revenue, and never by any ideological or ethical concerns.”
Source link