Posted: 8 Min ReadThreat Intelligence

Medusa Ransomware Activity Continues to Increase

Attacks using this ransomware have displayed consistent TTPs and grown steadily since 2023.

Medusa ransomware attacks jumped by 42% between 2023 and 2024. This increase in activity continues to escalate, with almost twice as many Medusa attacks observed in January and February 2025 as in the first two months of 2024. 

Figure 1. Medusa ransomware attacks, 2023-2025 (Source: Medusa leaks site)
Figure 1. Medusa ransomware attacks, 2023-2025 (Source: Medusa leaks site)

The Medusa ransomware is reportedly operated as a ransomware-as-a-service (RaaS) by a group Symantec’s Threat Hunter Team tracks as Spearwing. Like the majority of ransomware operators, Spearwing and its affiliates carry out double extortion attacks, stealing victims’ data before encrypting networks in order to increase the pressure on victims to pay a ransom. If victims refuse to pay, the group threatens to publish the stolen data on their data leaks site.

Spearwing has amassed hundreds of victims since it first became active in early 2023. The group has listed almost 400 victims on its data leaks site in that time, and the true number of victims is likely to be much higher. Ransoms demanded by attackers using the Medusa ransomware have ranged from $100,000 up to $15 million. 

As we discussed in our recent Threat Hunter whitepaper on the topic of ransomware, the decline of well-known names like Noberus and LockBit following law enforcement action in 2023 and 2024 left a gap for the rise of new names on the ransomware landscape. Among those names are RansomHub and the longer established Qilin. With its continuing increase in activity, it seems that Medusa could also be taking advantage of this gap in the ransomware scene. 

This is a different ransomware to the older MedusaLocker ransomware and Spearwing is not believed to have any link to that ransomware.

Medusa in Operation

It is believed that Spearwing and its affiliates mostly gain access to victim networks by exploiting unpatched vulnerabilities in public-facing applications, particularly Microsoft Exchange Servers. It has also been reported that the group has gained access to some victims by hijacking legitimate accounts, possibly utilizing initial access brokers for infiltration. In several of the Medusa attacks observed by Symantec it wasn’t possible to definitively determine how the attackers had gained initial access to victims’ networks, meaning an infection vector other than exploits could have been used.

A variety of living-off-the-land and dual-use tools have been used in attack chains where the Medusa ransomware has been deployed.

Once they have gained access to a victim network, attackers using Medusa typically use remote management and monitoring (RMM) software such as SimpleHelp or AnyDesk for further access and to download drivers. Mesh Agent is another remote access tool that has been seen in several Medusa ransomware attacks. Mesh Agent has been appearing more frequently in ransomware attack chains in recent times.

Attackers using Medusa often use the Bring Your Own Vulnerable Driver (BYOVD) technique in attacks, where attackers will deploy a signed vulnerable driver to the target network, which they then exploit to disable security software and evade detection. BYOVD is a technique that has been increasingly used in ransomware attack chains over the last two years. In almost all Medusa attacks, KillAV and associated vulnerable drivers are used in this part of the attack chain to download drivers and disable security software.

The use of the legitimate RMM software PDQ Deploy is another hallmark of Medusa ransomware attacks. It is typically used by the attackers to drop other tools and files and to move laterally across the victim network.  

Symantec researchers observed the same file path being used with PDQ Deploy to deploy Medusa in almost two-thirds of the Medusa ransomware attacks we investigated in the last year (see Box 1).

Box 1. File path and file name seen in multiple Medusa attacks
File path File name
csidl_windows\adminarsenal\pdqdeployrunner\service-1\exec gaze.exe

Other tools used by Spearwing and its affiliates include Navicat, a tool used to access and run database queries, which is likely used by the attackers to search for and copy relevant data for exfiltration. RoboCopy is another tool that has been used by Medusa attackers in a similar fashion, while attackers using Medusa have also been seen using Rclone for data exfiltration. Attackers have also commonly used network scanners like NetScan as part of their attack chain, while they have also used various tools for credential dumping and to delete shadow copies from victim machines.

The tactics, techniques, and procedures (TTPs) used by attackers deploying Medusa have remained consistent since it became active in 2023, with PDQ Deploy, the use of remote access clients, and the BYOVD technique to disable security software being particular hallmarks of Medusa ransomware attack chains. The consistency of the TTPs used in Medusa attacks does raise the question as to whether Spearwing is truly operating as a RaaS. The consistency of the tactics may indicate a few things:

  1. The group is carrying out attacks itself as well as developing the ransomware.
  2. The group works with just one or a very small number of affiliates.
  3. Spearwing provides affiliates with not just the ransomware, but also a playbook as to how the attacks should be carried out and the attack chain to use.

It is difficult to say which one of the above might apply to Spearwing’s activity, but it seems that the group doesn’t necessarily operate as a “typical” RaaS that works with a lot of affiliates who may use varying TTPs. 

See below for brief descriptions of some of the tools most used in Medusa attacks:

  • AnyDesk: A legitimate remote desktop application. It and similar tools are often used by attackers to obtain remote access to computers on a network.
  • KillAVDriver: A driver file used to help terminate security processes.
  • KillAV: Used to deploy a kernel driver for terminating security processes.
  • Mesh Agent: Publicly available software that allows remote device access and management.
  • Navicat: Legitimate graphical database management and development software.
  • NetScan: SoftPerfect Network Scanner (netscan.exe), a publicly available tool used for the discovery of host names and network services.
  • PDQ Deploy: A legitimate software tool that allows users to manage patching on multiple software packages in addition to deploying custom scripts.
  • PDQ Inventory: A legitimate software tool that allows users to inventory software on network machines.
  • SimpleHelp: Remote desktop software that provides remote access and control of a device.
  • Rclone: Open-source tool that can legitimately be used to manage content in the cloud, but has been seen being abused by ransomware actors to exfiltrate data from victim machines.
  • Robocopy: A command-line file transfer utility for Microsoft Windows.

The .medusa extension is added to encrypted files and a ransom note named !READ_ME_MEDUSA!!!.txt is dropped on encrypted machines. Medusa can also delete itself from victim machines once the ransom is executed, which makes it more difficult for those investigating these ransomware attacks. The ransom demanded by the group varies depending on the victims. Victims are given 10 days to pay and are charged $10,000 per day if they want to extend this deadline. The attackers provide screenshots of stolen data to prove that they have compromised victims' networks. If victims fail to pay, Spearwing will publish the stolen data on its leaks site. 

While there is no link between Medusa and MedusaLocker, in a relatively early Medusa attack, in June 2023, attackers deploying Medusa used drivers that were related to ones previously used in a BlackCat (aka Noberus) attack described by Trend Micro. It wasn’t clear if those drivers were publicly available, or if these two instances pointed to a sharing of tools or affiliates by Medusa and BlackCat. No further evidence has appeared to suggest links between the two groups, though it is possible that they may have affiliates or members in common.

Like most targeted ransomware groups, Spearwing tends to attack large organizations across a range of sectors. Ransomware groups tend to be driven purely by profit, and not by any ideological or moral considerations. Medusa has been publicly documented as demanding ransoms from healthcare providers and non-profits, as well as targeting financial and government organizations.

Case Study: Medusa Attack

In an attack investigated by Symantec’s Threat Hunter team in January 2025, Medusa was used to target a healthcare organization in the U.S., where it infected several hundred machines.

The initial access vector used in this attack is not known. The first attacker activity occurred on this network four days before the ransomware was deployed. Once the attacker was on the victim network they staged multiple tools for persistence, lateral movement, and to impair defenses. Most of the tools were staged under the CSIDL_PROFILE\documents folder.

Some of the early attacker activity on this network included:

Executing VSS admin to create shadow copies:

  • vssadmin create shadow /for=C:


Accessing ntds.dit for credential dumping.

Installing SimpleHelp and Mesh Agent onto victim machines:

  • CSIDL_PROFILE\documents\mesh.exe -fullinstall
  • CSIDL_PROFILE\documents\SN.exe

Dropping AVKiller and a driver under the documents folder on a machine. The attackers used the known POORTRY driver, as well as one unknown driver, for the purposes of killing security software during this attack:

  • CSIDL_PROFILE\documents\2Gk8.exe
  • CSIDL_PROFILE\documents\smuot.sys

On the day of the ransomware attack, Rclone was deployed on the victim network for data exfiltration. The attackers used a renamed version of Rclone - lsp.exe. Rclone was found under:

  • CSIDL_SYSTEM_DRIVE\temp

On the day the ransomware was deployed, the attacker switched to another machine and started staging tools. The attacker used PsExec to execute commands on this machine remotely.

It executed the following commands on this machine:

  • quser
  • net user
  • CSIDL_SYSTEM\net1 user <? |comma| ?> default [REDACTED] /domain

The attacker then dropped and installed SimpleHelp:

  • csidl_profile\documents\mx.exe

They then attempted to create a shadow copy of the C drive but used an incorrect command. This is notable as it points to hands-on-keyboard activity, rather than this being an automated attack:

  • vssadmin create dhadow /for=C:

The attacker then corrected the command and executed again:

  • vssadmin create shadow /for=C:

The attacker then dumped the ntds.dit file, before deleting the shadow copy:

  • vssadmin delete shadows /shadow=

They then dropped and installed AnyDesk, and used this to download PDQ Deploy and PDQ Inventory onto the machine:

  • CSIDL_PROFILE\documents\anydesk.exe

The attacker then opened an RDP session to another machine, and this is the last activity that occurred on this machine.

On the other machine, the attacker dropped PDQ Deploy, PDQ Inventory, and SimpleHelp under the same directory, before PDQ Deploy and PDQ Inventory were installed under the programs directory and SimpleHelp under the common appdata directory. The attacker used PDQ Inventory to get an inventory of the endpoints on the network. PDQ Deploy then used this information to deploy the AVKiller binary and driver under the Windows directory to all the endpoints and execute it.

The attacker then used PDQ Deploy to transfer the ransomware binary and execute it. The ransomware had the file name gaze.exe.

The ransomware didn’t encrypt files with the following extensions:

  • .dll
  • .exe
  • .lnk
  • .MEDUSA

It also didn’t encrypt content in the following folders:

  • WindowsOld
  • Perflogs
  • Msocache
  • ProgramFiles
  • ProgramFilesX86
  • Programdata

The ransomware contained an encoded list of the services and processes it wanted to terminate. It used the key 0x2e to decode the strings and use them with net stop <service> & taskkill /F /IM <process> /T.

The ransomware dropped its ransom note—!READ_ME_MEDUSA!!!.txt—into every directory it encrypted. The ransomware was then able to delete itself once it was executed.

Medusa has multiple arguments that perform various tasks. The list of accepted arguments for the ransomware used in this attack can be seen in Box 2.

Box 2. List of arguments accepted by Medusa ransomware in a January 2025 attack observed by Symantec
Argument Comment
-V version of the ransomware - Version:1.20
-d don't delete self
-f exclude system folder
-k key file path
-n use network drive
-p don't use preprocess - skip taskkill, net stop, delete shadow copy
-s exclude system driver
-t ransom note path
-w execute powershell file before starting the ransomware
-v verbose

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise

If an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.

SHA-256 Path Description
c28fa95a5d151d9e1d7642915ec5a727a2438477cae0f26f0557b468800111f9 csidl_profile\appdata\roaming\frpc.exe Fast Reverse Proxy
622b9c7a39c3f0bf4712506dc53330cdde37e842b97f1d12c97101cfe54bebd4 csidl_profile\appdata\roaming\windefender.exe Fast Reverse Proxy dropper
ae312393ef8e7c4a813a0ed8d4dd9e6a85b00303eb070eb15133797f41e99d90 csidl_profile\appdata\roaming\kill.exe Suspected KillAV tool
dbe480495be5abc23437b5e916fa0368c617e4dbd58d9ed7ea303b102a6dc3b1 csidl_windows\temp\symantec.exe KillAV
16f83f056177c4ec24c7e99d01ca9d9d6713bd0497eeedb777a3ffefa99c97f0 csidl_windows\temp\nitrogenk.sys ThrottleStop driver
b1553dfee1da93fd2dedb0755230ce4e21d4cb78cfc369de29d29d04db1fe013 csidl_profile\appdata\roaming\symantec (2).exe KillAV
5f9d864d11c79b34c4502edba7d0e007197d0df086a6fb9d6bfda84a1771ff0f Medusa ransomware
b7703a59c39a0d2f7ef6422945aaeaaf061431af0533557246397551b8eed505 csidl_profile\documents\smuot.sys KillAV Driver
df6cb5199c272c491b3a7ac44df6c4c279d23f7c09daed758c831b26732a4851 csidl_profile\documents\2gk8.exe KillAV
9632d7e4a87ec12fdd05ed3532f7564526016b78972b2cd49a610354d672523c csidl_system_drive\temp\lsp.exe Rclone
55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047 csidl_profile\documents\anydesk.exe AnyDesk
7f2f3e90863de8f753169fdc107df72c0ba95826de848a2d5f753f9f58a35fb4 csidl_profile\documents\mx.exe SimpleHelp
f5acae25462bee1c2120fa53c33126792d0747cb93105b475f1dc15ae95d86f8 csidl_profile\documents\sn.exe SimpleHelp
16c7497fc7b31936c1ecb845d2e61ef30935c1bba3074ac66a7329d7d134cbb1 zrapb.sys Suspected KillAV driver
bf3b4762b518c4682cb06fe5848e7cf3cc515fca1c367f82c8d69a847ac1a0a1 ar61.exe Suspected KillAV tool
e61b3377065034c79f2ac9c5593f117182a5a7a0d572f8ea8b7e6b10e10bb431 csidl_profile\documents\inventory_19.3.553.0.exe PDQ Inventory
ae8553ec071675f372e0666fb73655e15119ebe705a518293373acc4589fa2da csidl_profile\documents\deploy_19.3.553.0.exe PDQ Deploy
c005dda544098874b1f923c835c9183d1ad4f601b2e9a29b1afa02ae3061e5d4 csidl_windows\adminarsenal\pdqdeployrunner\service-1\pdqdeployrunner-1.exe PDQ Deploy
c9e05b08731892295a0842f7d17be0747c16226fcb75fa4a23b43b61a833c8cf csidl_system_drive\temp\supportservicemain_domain.exe SimpleHelp
583940ab94608408294e344af4503c8caed96966a08165c58cdc4faa03ab52a9 csidl_profile\default.fmhnt\downloads\filetree.exe Tool for file reconnaissance
dfdb6d5ef505a0d4cabbcd97e142106ecab9604d0086d77c9431e2fb09088eb6 csidl_system\gaze.exe Medusa Ransomware
c6ac5a83942a8aa3954650dfaa343a4bc4d3cff81c771ec0bb60bf1d2208c4e1 !!!read_me_medusa!!!.txt Medusa ransom note
3a7f64223a51e35a8253804c42d0ba92b663e06da8c21d398a65074b8e50beec winppx.exe Dropper
9d5616672189557f171cae0f122853f3498bc9160ee92f3844404d46ec45210a svhost.exe RevSocks
dd0e796f52fc1fcad488df122db8f5fcc9423ffdd3b5edbcc66d6055ab8a2247 1CE7E.bat BAT file
6106d1ce671b92d522144fcd3bc01276a975fe5d5b0fde09ca1cca16d09b7143 wnbios.sys Driver used to kill Windows Defender
3770c122f3f289cea730a5d1d16978e7f354686d3d2d4f667cfd9e37d5e9d368 159F.bat BAT file
038fb5e0ba6c35e3ee2f56b5bd926109e8b321bd0c9e3b759489312518efea65 readtext85.exe Medusa ransomware
1b7add5adbb9ba5b85437c11825e47663bd59729442f6f44fb2576b25945f0eb gaze.exe Medusa ransomware
e0b562b70b9fed98a05680a613f786bd482f71456976c7290ca2059004cb64a5 mbaer.sys Suspected malicious driver (POORTRY)
e7cad51c71403c229364147d66ef1858065b10645d1d09774cd9a91dd8e54717 r4jo.exe Packed driver loader (STONESTOP)
ad3ec38f79b4964fc9ba0d8f2d9d28c7cd3bd20dee0e3acf427eebb5dc819275 Unpacked driver loader (STONESTOP)
7c340e4d69ac5221bbebcad320814929c1bc376c4d9a64e5daf70c191137fd4a gaze.exe Medusa ransomware
01b91c60866b22b22d82284cbaac35565818eba353ac834018971d180a790a77 pdqdeployrunner-1.exe PDQ Deploy
f365ca957e733714691f4ac19f136b33442269816e71cab84c3ce0b319084cc2 qz3juql.exe KillAV
7880968b0020947d5d13fac826e49c70b5a9421e3d6546a34663803a411b97ff ggssk.sys KillAV driver
77a96b9bcc2bdcbc5c5cd39d606b8b14112e04390c04e4c9a7570a8bbca32ed2 uvgdqeuh.dll Suspicious DLL
0b3b9076591240a9639929a1a5a78922b5db0af3dba2e782d595ecc139ffb7e1 rf5oibxf.dll Suspicious DLL
53e5c44c1f47895004d61d18cbc74e83d7118dfcb2eb073c1e9c6a37abf38bd9 robocopy.exe Robocopy
3be651fe6619e62e483ff8d46e49c3578e7ce9d60b6d2b31d8d3e32beeeaabec disabler.exe Disable AV tool
08f05c597ac7c8e35515a63a9e139ef75b44d92093ed8c5b1b3c064f9c7f6cb8 syss1.exe; disabler.exe Downloader
d1e1eb0e0aaedb01df8cc2b98b0119c4aef8c1c2a3930ea0c455f0491e3161eb csidl_windows\temp\270.exe Medusa ransomware
d5a1f90dc5c9717b3f900c91a6cdccc20e56e6f1d20f24170189260e8dde7608 csidl_windows\temp\syss2.exe EDR Sandblast
8dff18f10c857dd3eeb5511f5724da0ab1d9e411044aea27f6de23ee33f798c8 csidl_windows\temp\syss.exe Disable AV tool
276024580b5bc903656a1c12a7ec02daccb10e6e6bdf6872765c9a67f1cd6da5 csidl_windows\temp\syss.exe Disable AV tool
Symantec Enterprise Blogs
You might also enjoy
10 Min Read

Ransomware 2025: Attacks Keep Rising as Threat Shows its Resilience

Despite the takedowns of some well-known names, ransomware remains a major cybercrime threat.

About the Author

Threat Hunter Team

Symantec

The Threat Hunter Team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.