Medusa ransomware, operated as ransomware-as-a-service by a group of hackers called Spearwing, is increasingly finding its way onto victims’ PCs.
During January and February of this year, researchers at cybersecurity company Symantec claim that they observed twice as many attacks involving Medusa ransomware compared to the first two months of 2024.
Meanwhile, between 2023 and 2024, cases jumped by 42%.
The rise of Medusa activity can be attributed to the decline of well-known names like Noberus and LockBit due to actions taken by law enforcement, leaving a place for other cybercriminals, including Spearwing.
According to Symantec, the group and its affiliates carry out double extortion attacks, stealing victims’ data before encrypting networks in order to increase the pressure on victims to pay a ransom.
Since the group was first noticed in early 2023, it has amassed hundreds of victims.
The group has listed almost 400 victims on its data leaks site in that time, though Symantec claims the true number is likely much higher.
Ransoms demanded by attackers using the Medusa ransomware range from $100,000 to $15 million.
Typically, victims are given ten days to pay and are charged $10,000 per day if they want to extend the deadline.
According to Symantec, the ransomware group’s tactics have remained consistent since 2023.
The group and its affiliates mostly gain access to victim’s networks by exploiting unpatched vulnerabilities in public-facing applications, particularly Microsoft Exchange Servers.
Once access is gained, the attackers typically use remote management and monitoring software such as SimpleHelp, PDQ Deploy, or AnyDesk to gain further access and download drivers. More recently, the group was found using Mesh Agent.
The attackers often deploy a signed vulnerable driver to the target network, which they then exploit to disable security software and evade detection.
Your email address will not be published. Required fields are markedmarked