Close Menu
Human Resources Mag
  • Home
  • News
  • Management
  • Guides
  • Law
  • Talents
  • Benfits
  • Technology
  • More
    • Web Stories
    • Editor’s Picks
    • Press Release
What's On

No Tax on Tips Act wins big with financial wellness and retention

May 21, 2025

Why Listening Is the Leadership Skill That Pays Off

May 21, 2025

10 Best Workforce Analytics Software in 2025

May 21, 2025
Facebook X (Twitter) Instagram
Facebook X (Twitter) Instagram
Human Resources Mag
Subscribe
  • Home
  • News
  • Management
  • Guides
  • Law
  • Talents
  • Benfits
  • Technology
  • More
    • Web Stories
    • Editor’s Picks
    • Press Release
Human Resources Mag
Home » Medusa Ransomware Activity Continues to Increase
Benfits

Medusa Ransomware Activity Continues to Increase

staffBy staffMarch 8, 20256 Mins Read
Share Facebook Twitter Pinterest Copy Link LinkedIn Tumblr Email Telegram WhatsApp
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

Other tools used by Spearwing and its affiliates include Navicat, a tool used to access and run database queries, which is likely used by the attackers to search for and copy relevant data for exfiltration. RoboCopy is another tool that has been used by Medusa attackers in a similar fashion, while attackers using Medusa have also been seen using Rclone for data exfiltration. Attackers have also commonly used network scanners like NetScan as part of their attack chain, while they have also used various tools for credential dumping and to delete shadow copies from victim machines.

The tactics, techniques, and procedures (TTPs) used by attackers deploying Medusa have remained consistent since it became active in 2023, with PDQ Deploy, the use of remote access clients, and the BYOVD technique to disable security software being particular hallmarks of Medusa ransomware attack chains. The consistency of the TTPs used in Medusa attacks does raise the question as to whether Spearwing is truly operating as a RaaS. The consistency of the tactics may indicate a few things:

  1. The group is carrying out attacks itself as well as developing the ransomware.
  2. The group works with just one or a very small number of affiliates.
  3. Spearwing provides affiliates with not just the ransomware, but also a playbook as to how the attacks should be carried out and the attack chain to use.

It is difficult to say which one of the above might apply to Spearwing’s activity, but it seems that the group doesn’t necessarily operate as a “typical” RaaS that works with a lot of affiliates who may use varying TTPs. 

See below for brief descriptions of some of the tools most used in Medusa attacks:

  • AnyDesk: A legitimate remote desktop application. It and similar tools are often used by attackers to obtain remote access to computers on a network.
  • KillAVDriver: A driver file used to help terminate security processes.
  • KillAV: Used to deploy a kernel driver for terminating security processes.
  • Mesh Agent: Publicly available software that allows remote device access and management.
  • Navicat: Legitimate graphical database management and development software.
  • NetScan: SoftPerfect Network Scanner (netscan.exe), a publicly available tool used for the discovery of host names and network services.
  • PDQ Deploy: A legitimate software tool that allows users to manage patching on multiple software packages in addition to deploying custom scripts.
  • PDQ Inventory: A legitimate software tool that allows users to inventory software on network machines.
  • SimpleHelp: Remote desktop software that provides remote access and control of a device.
  • Rclone: Open-source tool that can legitimately be used to manage content in the cloud, but has been seen being abused by ransomware actors to exfiltrate data from victim machines.
  • Robocopy: A command-line file transfer utility for Microsoft Windows.

The .medusa extension is added to encrypted files and a ransom note named !READ_ME_MEDUSA!!!.txt is dropped on encrypted machines. Medusa can also delete itself from victim machines once the ransom is executed, which makes it more difficult for those investigating these ransomware attacks. The ransom demanded by the group varies depending on the victims. Victims are given 10 days to pay and are charged $10,000 per day if they want to extend this deadline. The attackers provide screenshots of stolen data to prove that they have compromised victims’ networks. If victims fail to pay, Spearwing will publish the stolen data on its leaks site. 

While there is no link between Medusa and MedusaLocker, in a relatively early Medusa attack, in June 2023, attackers deploying Medusa used drivers that were related to ones previously used in a BlackCat (aka Noberus) attack described by Trend Micro. It wasn’t clear if those drivers were publicly available, or if these two instances pointed to a sharing of tools or affiliates by Medusa and BlackCat. No further evidence has appeared to suggest links between the two groups, though it is possible that they may have affiliates or members in common.

Like most targeted ransomware groups, Spearwing tends to attack large organizations across a range of sectors. Ransomware groups tend to be driven purely by profit, and not by any ideological or moral considerations. Medusa has been publicly documented as demanding ransoms from healthcare providers and non-profits, as well as targeting financial and government organizations.

Case Study: Medusa Attack

In an attack investigated by Symantec’s Threat Hunter team in January 2025, Medusa was used to target a healthcare organization in the U.S., where it infected several hundred machines.

The initial access vector used in this attack is not known. The first attacker activity occurred on this network four days before the ransomware was deployed. Once the attacker was on the victim network they staged multiple tools for persistence, lateral movement, and to impair defenses. Most of the tools were staged under the CSIDL_PROFILEdocuments folder.

Some of the early attacker activity on this network included:

Executing VSS admin to create shadow copies:

  • vssadmin create shadow /for=C:
  • CSIDL_PROFILEdocumentsmesh.exe -fullinstall
  • CSIDL_PROFILEdocumentsSN.exe
  • CSIDL_PROFILEdocuments2Gk8.exe
  • CSIDL_PROFILEdocumentssmuot.sys
  • CSIDL_SYSTEM_DRIVEtemp
  • quser
  • net user
  • CSIDL_SYSTEMnet1 user <? |comma| ?> default [REDACTED] /domain

Accessing ntds.dit for credential dumping.

Installing SimpleHelp and Mesh Agent onto victim machines:

Dropping AVKiller and a driver under the documents folder on a machine. The attackers used the known POORTRY driver, as well as one unknown driver, for the purposes of killing security software during this attack:

On the day of the ransomware attack, Rclone was deployed on the victim network for data exfiltration. The attackers used a renamed version of Rclone – lsp.exe. Rclone was found under:

On the day the ransomware was deployed, the attacker switched to another machine and started staging tools. The attacker used PsExec to execute commands on this machine remotely.

It executed the following commands on this machine:

The attacker then dropped and installed SimpleHelp:

  • csidl_profiledocumentsmx.exe

They then attempted to create a shadow copy of the C drive but used an incorrect command. This is notable as it points to hands-on-keyboard activity, rather than this being an automated attack:

  • vssadmin create dhadow /for=C:

The attacker then corrected the command and executed again:

  • vssadmin create shadow /for=C:

The attacker then dumped the ntds.dit file, before deleting the shadow copy:

  • vssadmin delete shadows /shadow=

They then dropped and installed AnyDesk, and used this to download PDQ Deploy and PDQ Inventory onto the machine:

  • CSIDL_PROFILEdocumentsanydesk.exe

The attacker then opened an RDP session to another machine, and this is the last activity that occurred on this machine.

On the other machine, the attacker dropped PDQ Deploy, PDQ Inventory, and SimpleHelp under the same directory, before PDQ Deploy and PDQ Inventory were installed under the programs directory and SimpleHelp under the common appdata directory. The attacker used PDQ Inventory to get an inventory of the endpoints on the network. PDQ Deploy then used this information to deploy the AVKiller binary and driver under the Windows directory to all the endpoints and execute it.

The attacker then used PDQ Deploy to transfer the ransomware binary and execute it. The ransomware had the file name gaze.exe.

The ransomware didn’t encrypt files with the following extensions:

It also didn’t encrypt content in the following folders:

  • WindowsOld
  • Perflogs
  • Msocache
  • ProgramFiles
  • ProgramFilesX86
  • Programdata

The ransomware contained an encoded list of the services and processes it wanted to terminate. It used the key 0x2e to decode the strings and use them with net stop <service> & taskkill /F /IM <process> /T.

The ransomware dropped its ransom note—!READ_ME_MEDUSA!!!.txt—into every directory it encrypted. The ransomware was then able to delete itself once it was executed.

Medusa has multiple arguments that perform various tasks. The list of accepted arguments for the ransomware used in this attack can be seen in Box 2.

Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link

Related Articles

10 Best Workforce Analytics Software in 2025

May 21, 2025 Benfits

Yes, HR Organizations Will (Partially) Be Replaced by AI, And That’s Good – JOSH BERSIN

May 21, 2025 Benfits

How to Improve Employee Onboarding with HR Software

May 20, 2025 Benfits

Best HR Software for Healthcare Organisations

May 19, 2025 Benfits

Fuel volatility, inflation, and cost containment: A fleet survival guide

May 17, 2025 Benfits

Flexible Staffing – Smart Company Strategies

May 17, 2025 Benfits
Top Articles

Accused of fraud, murder, fired exec awarded $500,000, 24 months’ notice

January 9, 202496 Views

Canadian Tire store under investigation for alleged exploitation of temporary foreign workers

October 2, 202490 Views

5 Best Learning Management Systems in 2025

February 11, 202588 Views
Stay In Touch
  • Facebook
  • YouTube
  • TikTok
  • WhatsApp
  • Twitter
  • Instagram
Latest News

Abhinaya Nagarajan moves from InCred to lead Talent Acquisition at Abhinandan Ventures —

staffMay 21, 2025

‘Uncollectible’: Two Halifax workers told unpaid wages not available

staffMay 20, 2025

Demotivating? Amazon announces changes to pay for performance model

staffMay 20, 2025
Most Popular

No Tax on Tips Act wins big with financial wellness and retention

May 21, 20250 Views

Why Listening Is the Leadership Skill That Pays Off

May 21, 20250 Views

10 Best Workforce Analytics Software in 2025

May 21, 20250 Views
Our Picks

Abhinaya Nagarajan moves from InCred to lead Talent Acquisition at Abhinandan Ventures —

May 21, 2025

‘Uncollectible’: Two Halifax workers told unpaid wages not available

May 20, 2025

Demotivating? Amazon announces changes to pay for performance model

May 20, 2025

Subscribe to Updates

Get the latest human resources news and updates directly to your inbox.

Facebook X (Twitter) Instagram Pinterest
  • Privacy Policy
  • Terms of use
  • Advertise
  • Contact Us
© 2025 Human Resources Mag. All Rights Reserved.

Type above and press Enter to search. Press Esc to cancel.