Table of Contents
Medusa ransomware, tracked by Symantec's Threat Hunter Team as "Spearwing," has emerged as a significant threat in the cybercrime landscape. First appearing in 2023, this Ransomware-as-a-Service (RaaS) platform has rapidly gained prominence, claiming nearly 400 victims by early 2025. Medusa employs a multi-extortion model, combining data encryption with the threat of public data leaks, making it a particularly dangerous adversary for organizations of all sizes. This article provides a deep dive into Medusa's origins, tactics, techniques, and procedures (TTPs), target profile, and effective defense strategies.
Origins & Evolution
Medusa ransomware surfaced in late 2022, gaining significant traction throughout 2023. While distinct from the older MedusaLocker ransomware, some early attacks exhibited connections to tools previously used by the BlackCat (Noberus) group, specifically through the use of similar vulnerable drivers (KillAV). This may suggest shared tools, developers, or possibly affiliates moving between operations. However, these links are not definitive, and no concrete evidence of a direct connection has emerged.
Medusa operates as a Ransomware-as-a-Service (RaaS) platform, providing the infrastructure and tools for affiliates to launch attacks. This model allows for rapid scaling and distribution of the ransomware. The group maintains a dedicated leak site ("Medusa blog") on the dark web, launched in early 2023, to publish stolen data from victims who refuse to pay the ransom. This "name and shame" tactic, coupled with a public Telegram channel ("information support") for wider publicity and data leaks, demonstrates a clear focus on maximizing pressure on victims. There have been some reports that the Telegram posts might indicate an internal conflict or even a security issue.
The significant increase in Medusa infections observed in 2023 and early 2024, with a reported 42% increase, suggests the group may be capitalizing on the disruptions of other major ransomware operations like LockBit and BlackCat. The ransomware landscape is constantly evolving, and Medusa's rise highlights its ability to quickly adapt and fill the void left by disrupted competitors.
Tactics & Techniques
Spearwing, the group behind Medusa, displays a consistent set of TTPs, suggesting either a tightly controlled operation, a small number of affiliates, or a very detailed "playbook" provided to affiliates. This consistency helps in understanding and defending against their attacks. Key aspects of Medusa's operational methodology include:
Initial Access: Medusa primarily gains initial access through the exploitation of known vulnerabilities in public-facing applications, particularly Microsoft Exchange Server. They are also suspected of using Initial Access Brokers (IABs) to purchase pre-compromised network access, allowing them to focus on the later stages of the attack.
Persistence: The group employs legitimate Remote Monitoring and Management (RMM) software for persistence. Tools like SimpleHelp, AnyDesk, and MeshAgent are abused to maintain access to compromised networks, blending in with legitimate administrative activity. You can explore more about RMM tools.
Defense Evasion: Medusa utilizes the "Bring Your Own Vulnerable Driver" (BYOVD) technique to terminate antivirus and security processes. They leverage tools like KillAV and KillAVDriver, which utilize a vulnerable driver (often POORTRY) to gain kernel-level access and disable security software.
Discovery and Reconnaissance: Medusa uses tools such as portable Netscan which is customized with
netscan.xml. This configuration has options including WMI, Registry, Services, Files, SNMP, Account Groups, XML, SSH, and PowerShell.Lateral Movement: Legitimate tools like PDQ Deploy are used to drop additional tools and files, facilitating lateral movement within the network. PsExec is also used to remotely execute tools.
Credential Access: The group frequently accesses the
ntds.ditfile, a key component of Active Directory, to dump credentials and gain further access within the network.Data Exfiltration: Medusa employs several tools for data exfiltration, including Navicat (for database access and queries), RoboCopy (for file transfers), and notably, Rclone (a versatile cloud storage synchronization tool). The use of Rclone highlights the group's focus on exfiltrating data to cloud storage services. They also focus on data integrity.
Impact (Encryption and Recovery Prevention): Files are encrypted with the ".medusa" extension appended. The ransomware drops a ransom note named "!!read_me_medusa!!.txt" (or "!!!READ_ME_MEDUSA!!!.txt"). Medusa actively attempts to hinder recovery by deleting Volume Shadow Copies (VSS) and resizing shadow storage, making it significantly more difficult for victims to restore their data without paying the ransom. The ransomware, often named "gaze.exe," supports command-line arguments to customize its behavior, including network drive encryption and exclusion of specific drives or folders.
Medusa ransomware's "Gaze" binary reveals several key characteristics:
String Encryption: Employs string encryption (XOR with key 0x2E) to obfuscate targeted services, processes, and allowlisted files/folders.
Asymmetric Encryption: Uses RSA asymmetric encryption to protect the AES256 key used for file encryption. You can read about symmetric and asymmetric encryption.
Targets or Victimology
Medusa ransomware demonstrates a broad targeting approach, focusing on large organizations across various sectors. Their primary motivation appears to be purely financial, with no clear ideological or political considerations. Key target sectors include:
Healthcare Providers
Non-profit Organizations
Financial Institutions
Government Entities
High Tech
Education
Manufacturing
The geographic distribution of Medusa attacks is primarily concentrated in the United States, United Kingdom, Canada, Australia, France, and Italy. Notably, the group appears to avoid targeting organizations in Belarus, Kazakhstan, Kyrgyzstan, Russia, and Tajikistan, suggesting a potential operational base or affiliation with those regions. To understand more about their location you can read about network mapping.
The ransom demands associated with Medusa attacks vary significantly, ranging from $100,000 to $15 million, indicating a focus on maximizing profit based on the perceived value of the stolen data and the victim's ability to pay.
Attack Campaigns
Several high-profile attacks have been attributed to Medusa ransomware, highlighting its impact and capabilities:
Minneapolis Public Schools (MPS): In a well-publicized incident, MPS suffered a significant data breach after refusing to pay a million-dollar ransom. The stolen data was subsequently leaked on Medusa's leak site.
Toyota Financial Services: Medusa claimed responsibility for an attack on this major financial institution.
Blue Yonder: This major provider of supply chain management solutions was attacked in November 2024.
Claims of Microsoft Source Code Theft: The group has claimed to have stolen source code for Microsoft products, including Bing Maps and Cortana, although this claim has not been independently verified.
Attacks on Healthcare and Education: Medusa has also targeted cancer centers and British high schools, demonstrating the breadth of its victim profile.
Early 2025 Surge: The first two months of 2025 saw a significant spike in Medusa activity, with over 40 attacks claimed, emphasizing the group's continued growth and aggression. Many organizations are facing cybersecurity challenges.
Defenses
Protecting against Medusa ransomware, and similar threats, requires a multi-layered security approach encompassing prevention, detection, and response capabilities. Key defensive strategies include:
Vulnerability Management and Patching: Prioritize patching known vulnerabilities, especially in public-facing applications like Microsoft Exchange Server, which Medusa frequently exploits. Regular vulnerability assessments and prompt patching are critical.
Strong Authentication: Enforce strong, unique passwords and implement multi-factor authentication (MFA) wherever possible, particularly for remote access services like RDP and VPNs.
Network Segmentation: Segment networks to limit the lateral movement of attackers in the event of a breach. This can contain the impact of an attack and prevent it from spreading to critical systems.
Endpoint Detection and Response (EDR): Deploy and maintain robust EDR solutions to detect and respond to malicious activity on endpoints. EDR tools can identify and block the execution of known ransomware binaries and detect anomalous behavior.
Security Awareness Training: Educate employees about the risks of phishing and social engineering attacks. Regular training and simulated phishing exercises can significantly reduce the likelihood of successful initial access. You can learn about types of phishing attacks.
Data Backup and Recovery: Implement a comprehensive backup and recovery plan, including regular, secure, and offline backups. Test the recovery process regularly to ensure its effectiveness.
Monitoring for Legitimate Tool Abuse: Monitor for the unusual or unauthorized use of legitimate tools like RMM software (AnyDesk, SimpleHelp, PDQ Deploy) and scripting tools (PowerShell, PsExec). This "living off the land" technique is a common tactic used by Medusa.
Threat Intelligence: Leverage threat intelligence feeds and platforms to stay informed about the latest TTPs and indicators of compromise (IOCs) associated with Medusa and other ransomware groups.
Data Loss Prevention: Using tools to restrict the access to sensitive information can be beneficial to protect against Medusa.
Conclusion
Medusa ransomware, operated by the Spearwing group, represents a significant and evolving threat to organizations worldwide. Its use of sophisticated techniques, multi-extortion tactics, and a RaaS model makes it a formidable adversary. The group's focus on exploiting known vulnerabilities, leveraging legitimate tools, and employing strong defense evasion mechanisms highlights the need for proactive and comprehensive security measures. By implementing a layered defense strategy, organizations can significantly reduce their risk of falling victim to Medusa and other advanced ransomware threats. Continuous vigilance, proactive threat hunting, and a robust incident response plan are essential to combating this persistent cyber threat. If something happens then the organization needs a cyber incident response plan.
Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this.
You may also like these articles:
UnitedHealth Reveals Massive 190 Million Patient Data Breach in Cyberattack
AI-Driven Ransomware FunkSec Targets 85 Victims in December 2024
Morpheus and HellCat Ransomware Payloads Reveal Shared Codebase
Ransomware Actors Exploit SSH Tunneling to Target VMware ESXi Hosts
Ransomware Payments Drop 35% in 2024 as Law Enforcement Disrupts Cybercrime
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- March 17, 2025
- March 17, 2025
- March 17, 2025
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- March 17, 2025
- March 17, 2025
- March 17, 2025
