Introduction
The Medusa ransomware [1] [2] [3] [4] [5] [7], associated with the Spearwing group [7], has significantly increased its activity in the US healthcare sector in early 2025. This surge highlights the growing threat posed by ransomware groups, necessitating enhanced cybersecurity measures [1].
Description
Medusa ransomware [1] [2] [3] [4] [5] [7], linked to the Spearwing group, has targeted over 40 victims in the US healthcare sector during the first two months of 2025 [7], marking a significant increase in activity compared to the same period in 2024 [2] [4]. In February 2025 alone [1] [4] [6], there were 959 total attacks reported [6], with 41 confirmed by the targets [6], including seven incidents affecting healthcare companies. Medusa was responsible for three of these healthcare attacks [6], further solidifying its position as one of the most active ransomware groups alongside RansomHub and Qilin, each also confirming four attacks that month.
A notable incident in January 2025 involved an unnamed US healthcare organization, where the ransomware infected several hundred machines. This attack was preceded by four days of unauthorized activity within the network [4], indicating a trend of prolonged dwell time as the attackers sought to identify valuable data for exfiltration. The initial access vector for this attack remains unknown [3], but it involved direct human interaction rather than being fully automated [4].
In February [1] [4] [6], Medusa targeted SimonMed Imaging in the US, demanding a $1 million ransom while claiming to have stolen 213 GB of data, although the organization successfully prevented data encryption. Additionally, HCRG Care Group in the UK confirmed an attack with a $2 million ransom demand after Medusa allegedly stole nearly 2.3 TB of data [6]. Bell Ambulance in the US was also targeted [6], with a ransom demand of $400,000 for 212 GB of data.
Since its emergence in early 2023 [2] [4] [7], the ransomware gang has been responsible for nearly 400 attacks [1], with the actual number likely higher due to unreported ransom payments [2]. Medusa employs double extortion tactics [7], stealing data prior to encrypting networks to coerce victims into paying ransoms that range from $100,000 to $15 million [7]. Upon execution [3], the ransomware deploys a ransom note titled !READMEMEDUSA!!!.txt in every directory it encrypts and is capable of deleting itself after execution [3].
The surge in Medusa attacks is attributed to the decline of prominent ransomware-as-a-service groups like BlackCat and LockBit [2], following law enforcement actions in 2023 and 2024 [2]. Medusa primarily targets large organizations across various sectors [7], including healthcare [4] [7], non-profits [1] [7], financial institutions [7], and government entities [7], and is distinct from the older MedusaLocker variant [2]. This shift in the ransomware landscape underscores the urgent need for enhanced cybersecurity measures [1].
Conclusion
The increased activity of Medusa ransomware in 2025 underscores the evolving threat landscape, particularly in the healthcare sector. Organizations must prioritize robust cybersecurity strategies to mitigate these threats, including regular system updates, employee training, and incident response planning. As ransomware tactics continue to evolve, proactive measures and collaboration with law enforcement will be crucial in combating these cyber threats and protecting sensitive data.
References
[1] https://cybernoz.com/medusa-ransomware-targeted-over-40-organizations-in-2025/
[2] https://www.infosecurity-magazine.com/news/medusa-claims-victims-2025/
[3] https://www.security.com/threat-intelligence/medusa-ransomware-attacks
[4] https://ciso2ciso.com/medusa-ransomware-claims-40-victims-in-2025-confirmed-healthcare-attacks-source-www-infosecurity-magazine-com/
[5] https://undercodenews.com/medusa-ransomware-surge-a-growing-threat-in-2025/
[6] https://www.comparitech.com/news/ransomware-roundup-february-2025/
[7] https://codesanitize.com/medusa-ransomware-hits-40-victims-in-2025-calls-for-100k-15m-ransom/
