Medusa ransomware attacks are increasingly becoming a core tool for a threat group known as "Spearwing," which has amassed hundreds of victims since 2023; nearly 400, in fact, have been listed on its leak site. The ransom demands when using Medusa ransomware range from $100,000 to a whopping $15 million, according to threat hunters
See: https://redskyalliance.org/xindustry/medusa-grew-new-snakes
Researchers believe that Spearwing is taking advantage of the wide-open gap in the ransomware space with the decline of groups like Noberus and LockBit, eager to make a name for itself with its continuously increasingly activity.
See: https://redskyalliance.org/xindustry/lockbit-ransomware-group-takedown
Spearwing and its affiliates operate like many ransomware operators by carrying out double extortion attacks and stealing data before encrypting networks to add pressure to the victim for a ransom payment. The group gains access to its victims' networks by exploiting unpatched vulnerabilities in public-facing applications, most notably Microsoft Exchange Servers. After gaining access to a victim network, the attackers typically use remote management and monitoring software to download a range of tools for lateral movement, including AnyDesk, KillAVDriver, KillAV, Mesh Agent, Navicat, NetScan, PDQ Deploy, PDQ Inventory, SimpleHelp, Rclone, and Robocopy.
Once a .medusa extension is added to the encrypted files, a ransom note named "!READ_ME_MEDUSA!!!.txt" is dropped onto the encrypted machine. Spearwing ransom demands vary depending on the victim, who is usually given 10 days to pay up with an additional $10,000 added to the total per day if the deadline is extended. If the ransom isn't paid, the stolen data is published to the group's leak site.
The researchers do have some questions regarding Spearwing's operations. "The consistency of the TTPs used in Medusa attacks does raise the question as to whether Spearwing is operating as a RaaS," noted the researchers. The consistency in the tactics used could indicate several things, such as the group carrying out the attacks and developing the ransomware itself, or the gang just working with a small number of affiliates. It could also be that Spearwing provides affiliates with ransomware as well as a playbook on how attacks are carried out and what attack chain to use, the researchers said. Any of these theories could be plausible, but one thing that remains certain is that the group "doesn't necessarily operate as a 'typical' RaaS that works with a lot of affiliates who may use varying TTPs," they concluded.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. redskyalliance. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
https://www.darkreading.com/cyberattacks-data-breaches/spearwing-raas-cyber-threat-scene
Comments