Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Medusa Ransomware targeted over 40 organizations in 2025

Medusa ransomware has claimed nearly 400 victims since January 2023, with attacks increasing by 42% between 2023 and 2024. The Symantec Threat Hunter Team reported that the Medusa ransomware operators have claimed nearly 400 victims since January 2023. Experts observed a 42% increase in attacks carried out by the group between 2023 and 2024. Experts […]

Medusa ransomware

Medusa ransomware has claimed nearly 400 victims since January 2023, with attacks increasing by 42% between 2023 and 2024.

The Symantec Threat Hunter Team reported that the Medusa ransomware operators have claimed nearly 400 victims since January 2023. Experts observed a 42% increase in attacks carried out by the group between 2023 and 2024. Experts tracked the Medusa ransomware activity as Spearwing.

Medusa ransomware

Between January and February 2025, the ransomware gang claimed responsibility for over 40 attacks.

“Like the majority of ransomware operators, Spearwing and its affiliates carry out double extortion attacks, stealing victims’ data before encrypting networks in order to increase the pressure on victims to pay a ransom,” reads the report published by Symantec.

Medusa demands ransoms from $100,000 to $15 million, victims are organizations in healthcare, non-profits, finance, and government sectors. The group targets known vulnerabilities, mainly in Exchange Server. The researchers speculate that the ransomware group relies on initial access brokers to access target infrastructure.

Upon gaining initial access to the target, Medusa hackers use remote management and monitoring (RMM) tools like SimpleHelp and AnyDesk for maintaining persistence and employ BYOVD with KillAV to disable antivirus, a tactic seen in BlackCat and RansomHub ransomware operations.

Symatec researchers highlighted that Medusa ransomware attackers use PDQ Deploy to drop tools, files, and move laterally across victim networks.

Medusa ransomware attackers use Navicat for database access, and RoboCopy and Rclone for data exfiltration.

Medusa ransomware is expanding amid disruptions to LockBit and BlackCat, highlighting the evolving RaaS landscape and the need for stronger cybersecurity defenses.

“Like most targeted ransomware groups, Spearwing tends to attack large organizations across a range of sectors,” Symantec concludes. “Ransomware groups tend to be driven purely by profit, and not by any ideological or moral considerations.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)