Medusa ransomware activity ramps up, report reveals

Almost 400 organizations across various industries, including the government, finance, and healthcare sectors, have been compromised in attacks involving the Medusa ransomware since its emergence two years ago, with intrusions increasing by 42% between 2023 and 2024, The Hacker News reports.

Medusa — which is operated as ransomware-as-a-service by the Spearwing threat cluster — has also impacted 40 organizations during the first two months of 2025, while attackers sought ransoms ranging from $100,000 to $15 million, according to a Symantec Threat Hunter Team analysis.

After infiltrating targeted systems through the exploitation of known security vulnerabilities and the utilization of initial access brokers, Medusa hackers deployed remote management and monitoring software for persistence, leveraged KillAV to conceal malicious activities, and delivered the Rclone and RoboCopy payloads for data compromise.

"Like most targeted ransomware groups, Spearwing tends to attack large organizations across a range of sectors. Ransomware groups tend to be driven purely by profit, and not by any ideological or moral considerations," said Symantec researchers.