Recent Surge in Medusa Ransomware Attacks
The Medusa ransomware attacks have surged by 42% recently, with a significant increase in activity observed in the first two months of 2025 compared to the same period in 2024. The ransomware is operated by the Spearwing group as a ransomware-as-a-service (RaaS) and has targeted various sectors.
Affected Industries
Medusa ransomware has impacted over 300 organizations across critical infrastructure sectors. The most affected industries include:
Healthcare: Hospitals and medical facilities have been targeted, with attackers encrypting patient records and demanding high ransoms.
Education: Universities and schools have faced attacks, with research data and student records being encrypted.
Legal and Insurance: Law firms and insurance companies have been targeted, with sensitive client information at risk.
Technology and Manufacturing: Companies in these sectors have experienced disruptions due to encrypted operational data.
Regional Impact
The Medusa ransomware attacks have been widespread, with significant activity reported in the United States. U.S. agencies have released advisories detailing the tactics, techniques, and procedures (TTPs) used by Medusa, as well as indicators of compromise (IOCs) and detection strategies.
Technical Details
Initial Access: Medusa often gains initial access through phishing campaigns and exploiting unpatched software vulnerabilities.
Encryption: It uses strong encryption algorithms to lock files, making data recovery without the decryption key nearly impossible.
Persistence: Medusa establishes persistence by modifying registry keys and using scheduled tasks to ensure it remains active even after a system reboot.
Exfiltration: Before encrypting data, Medusa exfiltrates sensitive information to external servers, which is then used for double extortion.
Examples of Attacks
Healthcare Sector: A large hospital was targeted, with patient records encrypted and a ransom demand of $5 million.
Educational Institutions: A university faced an attack where research data and student records were encrypted, with a ransom demand of $1.5 million.
Mitigation Strategies
Patch Management: Ensure all operating systems, software, and firmware are up to date to mitigate known vulnerabilities.
Network Segmentation: Segment networks to restrict lateral movement from initially infected devices.
Traffic Filtering: Prevent unknown or untrusted origins from accessing remote services on internal systems.
Regular Backups: Maintain regular backups of critical data and ensure they are stored offline or in a secure cloud environment.
