Medusa ransomware is on a rampage. The notorious cybercrime operation, which emerged in early 2023, has increased attacks by a staggering 42% between 2023 and 2024. Nearly 400 victims have found themselves on Medusa’s data leaks site since its inception.
The digital serpent strikes with vengeance, leaving hundreds of victims in its encrypted wake.
Even more alarming? The group doubled its attacks in the first two months of 2025 compared to the same period last year. They’re not slowing down.
Operated by a group known as “Spearwing” or “Storm-1175,” Medusa employs a double extortion strategy—they steal your data, then encrypt your network. Pay up or see your sensitive information splashed across the internet. Simple. Their ransoms aren’t small change either, ranging from $100,000 to a jaw-dropping $15 million.
Miss their 10-day payment deadline? That’ll be an extra $10,000 per day, thank you very much.
These aren’t amateur hackers. Medusa exploits unpatched vulnerabilities, especially in Microsoft Exchange servers. They use legitimate remote management tools like AnyDesk and SimpleHelp to fly under the radar. Smart.
They’ve also perfected the “Bring Your Own Vulnerable Driver” technique and use PDQ Deploy to move laterally through networks. The group has launched over 40 attacks in just the first two months of 2025.
No sector is safe. Healthcare providers, government organizations, financial institutions, manufacturing companies, educational institutions—all fair game. Their global reach extends across the US, Australia, Israel, India, Portugal, UK, and UAE.
They’re filling the void left by disrupted operations like LockBit and BlackCat. Nature abhors a vacuum, especially in cybercrime.
What makes Medusa tick? Cold, hard cash. No ideology, no politics—just profit. Their toolkit includes KillAV for disabling security, Navicat for database access, and Rclone for data exfiltration.
They’re methodical. Professional.
The consistency in tactics suggests either direct operations or a small, tight-knit affiliate network. For small businesses without proper security measures, a Medusa attack could be catastrophic, as 60% of businesses close within six months of a cyber attack. The group maintains a bold presence on both the dark web and clear web, making them unusually visible compared to other ransomware operators. With potential links to other ransomware groups like BlackCat, Medusa is rising alongside new threats such as RansomHub and Qilin.
The ransomware ecosystem isn’t dying—it’s advancing. And Medusa is leading the charge.
