Other tools used by Spearwing and its affiliates include Navicat, a tool used to access and run database queries, which is likely used by the attackers to search for and copy relevant data for exfiltration. RoboCopy is another tool that has been used by Medusa attackers in a similar fashion, while attackers using Medusa have also been seen using Rclone for data exfiltration. Attackers have also commonly used network scanners like NetScan as part of their attack chain, while they have also used various tools for credential dumping and to delete shadow copies from victim machines.
The tactics, techniques, and procedures (TTPs) used by attackers deploying Medusa have remained consistent since it became active in 2023, with PDQ Deploy, the use of remote access clients, and the BYOVD technique to disable security software being particular hallmarks of Medusa ransomware attack chains. The consistency of the TTPs used in Medusa attacks does raise the question as to whether Spearwing is truly operating as a RaaS. The consistency of the tactics may indicate a few things:
- The group is carrying out attacks itself as well as developing the ransomware.
- The group works with just one or a very small number of affiliates.
- Spearwing provides affiliates with not just the ransomware, but also a playbook as to how the attacks should be carried out and the attack chain to use.
It is difficult to say which one of the above might apply to Spearwing’s activity, but it seems that the group doesn’t necessarily operate as a “typical” RaaS that works with a lot of affiliates who may use varying TTPs.
See below for brief descriptions of some of the tools most used in Medusa attacks:
- AnyDesk: A legitimate remote desktop application. It and similar tools are often used by attackers to obtain remote access to computers on a network.
- KillAVDriver: A driver file used to help terminate security processes.
- KillAV: Used to deploy a kernel driver for terminating security processes.
- Mesh Agent: Publicly available software that allows remote device access and management.
- Navicat: Legitimate graphical database management and development software.
- NetScan: SoftPerfect Network Scanner (netscan.exe), a publicly available tool used for the discovery of host names and network services.
- PDQ Deploy: A legitimate software tool that allows users to manage patching on multiple software packages in addition to deploying custom scripts.
- PDQ Inventory: A legitimate software tool that allows users to inventory software on network machines.
- SimpleHelp: Remote desktop software that provides remote access and control of a device.
- Rclone: Open-source tool that can legitimately be used to manage content in the cloud, but has been seen being abused by ransomware actors to exfiltrate data from victim machines.
- Robocopy: A command-line file transfer utility for Microsoft Windows.
The .medusa extension is added to encrypted files and a ransom note named !READ_ME_MEDUSA!!!.txt is dropped on encrypted machines. Medusa can also delete itself from victim machines once the ransom is executed, which makes it more difficult for those investigating these ransomware attacks. The ransom demanded by the group varies depending on the victims. Victims are given 10 days to pay and are charged $10,000 per day if they want to extend this deadline. The attackers provide screenshots of stolen data to prove that they have compromised victims’ networks. If victims fail to pay, Spearwing will publish the stolen data on its leaks site.
While there is no link between Medusa and MedusaLocker, in a relatively early Medusa attack, in June 2023, attackers deploying Medusa used drivers that were related to ones previously used in a BlackCat (aka Noberus) attack described by Trend Micro. It wasn’t clear if those drivers were publicly available, or if these two instances pointed to a sharing of tools or affiliates by Medusa and BlackCat. No further evidence has appeared to suggest links between the two groups, though it is possible that they may have affiliates or members in common.
Like most targeted ransomware groups, Spearwing tends to attack large organizations across a range of sectors. Ransomware groups tend to be driven purely by profit, and not by any ideological or moral considerations. Medusa has been publicly documented as demanding ransoms from healthcare providers and non-profits, as well as targeting financial and government organizations.
Case Study: Medusa Attack
In an attack investigated by Symantec’s Threat Hunter team in January 2025, Medusa was used to target a healthcare organization in the U.S., where it infected several hundred machines.
The initial access vector used in this attack is not known. The first attacker activity occurred on this network four days before the ransomware was deployed. Once the attacker was on the victim network they staged multiple tools for persistence, lateral movement, and to impair defenses. Most of the tools were staged under the CSIDL_PROFILEdocuments folder.
Some of the early attacker activity on this network included:
Executing VSS admin to create shadow copies:
- vssadmin create shadow /for=C:
- CSIDL_PROFILEdocumentsmesh.exe -fullinstall
- CSIDL_PROFILEdocumentsSN.exe
- CSIDL_PROFILEdocuments2Gk8.exe
- CSIDL_PROFILEdocumentssmuot.sys
- CSIDL_SYSTEM_DRIVEtemp
- quser
- net user
- CSIDL_SYSTEMnet1 user <? |comma| ?> default [REDACTED] /domain
Accessing ntds.dit for credential dumping.
Installing SimpleHelp and Mesh Agent onto victim machines:
Dropping AVKiller and a driver under the documents folder on a machine. The attackers used the known POORTRY driver, as well as one unknown driver, for the purposes of killing security software during this attack:
On the day of the ransomware attack, Rclone was deployed on the victim network for data exfiltration. The attackers used a renamed version of Rclone – lsp.exe. Rclone was found under:
On the day the ransomware was deployed, the attacker switched to another machine and started staging tools. The attacker used PsExec to execute commands on this machine remotely.
It executed the following commands on this machine:
The attacker then dropped and installed SimpleHelp:
- csidl_profiledocumentsmx.exe
They then attempted to create a shadow copy of the C drive but used an incorrect command. This is notable as it points to hands-on-keyboard activity, rather than this being an automated attack:
- vssadmin create dhadow /for=C:
The attacker then corrected the command and executed again:
- vssadmin create shadow /for=C:
The attacker then dumped the ntds.dit file, before deleting the shadow copy:
- vssadmin delete shadows /shadow=
They then dropped and installed AnyDesk, and used this to download PDQ Deploy and PDQ Inventory onto the machine:
- CSIDL_PROFILEdocumentsanydesk.exe
The attacker then opened an RDP session to another machine, and this is the last activity that occurred on this machine.
On the other machine, the attacker dropped PDQ Deploy, PDQ Inventory, and SimpleHelp under the same directory, before PDQ Deploy and PDQ Inventory were installed under the programs directory and SimpleHelp under the common appdata directory. The attacker used PDQ Inventory to get an inventory of the endpoints on the network. PDQ Deploy then used this information to deploy the AVKiller binary and driver under the Windows directory to all the endpoints and execute it.
The attacker then used PDQ Deploy to transfer the ransomware binary and execute it. The ransomware had the file name gaze.exe.
The ransomware didn’t encrypt files with the following extensions:
It also didn’t encrypt content in the following folders:
- WindowsOld
- Perflogs
- Msocache
- ProgramFiles
- ProgramFilesX86
- Programdata
The ransomware contained an encoded list of the services and processes it wanted to terminate. It used the key 0x2e to decode the strings and use them with net stop <service> & taskkill /F /IM <process> /T.
The ransomware dropped its ransom note—!READ_ME_MEDUSA!!!.txt—into every directory it encrypted. The ransomware was then able to delete itself once it was executed.
Medusa has multiple arguments that perform various tasks. The list of accepted arguments for the ransomware used in this attack can be seen in Box 2.
