While law enforcement celebrates taking down major ransomware operations like LockBit and BlackCat, a relatively new player has been quietly filling the void. Spearwing, a likely Russian-based ransomware-as-a-service (RaaS) group, has been wreaking havoc with its Medusa ransomware, amassing hundreds of victims since emerging in early 2023. Not exactly rookies anymore.
The numbers are frankly disturbing. Medusa attacks surged 42% between 2023 and 2024, then doubled in the first two months of 2025 compared to the same period last year. Over 40 organizations were hit in January and February alone. And those are just the ones they’ve bragged about on their leak site.
Their tactics? Classic digital thuggery with a modern twist. They steal your data before encrypting it (double extortion, how cute), then slap a .medusa extension on your files and drop their charming ransom note. In a recent attack, they demonstrated increased dwell time by lurking in networks four days before deploying their ransomware. Understanding their technical intelligence helps identify indicators of compromise before they can execute their full attack. Miss their 10-day deadline? That’ll be an extra $10,000 per day, thanks. Ransoms range from $100,000 to a jaw-dropping $15 million. Highway robbery has gone digital.
Spearwing’s technical approach is depressingly effective. They exploit unpatched Microsoft Exchange vulnerabilities, deploy remote management tools like AnyDesk, and use a technique called Bring Your Own Vulnerable Driver to disable security software. The group has targeted nearly 400 victims since January 2023, showing their significant operational scale. Then they move laterally through networks using legitimate tools. Living off the land, as the security pros call it.
Healthcare, manufacturing, and education sectors are their favorite targets, with particular focus on organizations in the US, UK, Canada, Australia, France, and Italy. Curiously, they avoid Russia and Commonwealth states. Shocking, right?
Tracked by Symantec’s Threat Hunter Team, Spearwing is now competing with emerging groups like RansomHub and Qilin in the post-LockBit landscape. Their consistent tactics suggest a structured operation with limited affiliates or a tight playbook.
The ransomware ecosystem adapts fast. Take down one group, another fills the gap. Nature abhors a vacuum, especially in cybercrime.
References
- https://www.infosecurity-magazine.com/news/medusa-claims-victims-2025/
- https://www.betterworldtechnology.com/post/medusa-ransomware-surge-over-40-victims-targeted-in-2025
- https://blog.barracuda.com/2025/02/25/medusa-ransomware-and-its-cybercrime-ecosystem
- https://industrialcyber.co/ransomware/symantec-reports-medusa-ransomware-surges-42-as-spearwing-raas-intensifies-operations/
- https://www.enterprisesecuritytech.com/post/ransomware-surge-in-february-2025-clop-ransomhub-and-medusa-lead-a-relentless-onslaught
- https://www.broadcom.com/support/security-center/protection-bulletin/medusa-ransomware-activity-on-the-rise
- https://www.securityweek.com/medusa-ransomware-attacks-increase/
- https://cybernews.com/cybercrime/medusa-ransomware-surge-spearwing-hackers/
- https://gbhackers.com/medusa-ransomware-attacks-surge-42/
- https://www.security.com/threat-intelligence/medusa-ransomware-attacks
