A new ransomware operation is tightening its grip on businesses and individuals alike, holding data hostage and extorting victims with brutal efficiency. Medusa, a ransomware-as-a-service (RaaS) operation, has already compromised over 300 victims across industries, including technology, healthcare, law, and manufacturing, according to the FBI, CISA, and MS-ISAC. The real number is likely higher, given that many businesses choose to suffer in silence rather than report an attack.
A new cybercrime syndicate is making headlines in the ransomware underworld, and it goes by the name Spearwing. According to a March 6 blog post by Symantec, a leading cybersecurity firm, Spearwing is operating Medusa ransomware. This rapidly growing threat has already impacted hundreds of victims across industries like technology, healthcare, law, and manufacturing – with attacks growing 42% from 2023 to 2024.
Medusa first surfaced in June 2023; by early 2024, its presence had grown exponentially. Unlike traditional ransomware groups that launch attacks themselves, Medusa follows the RaaS model, meaning it provides the malware while outsourcing the execution to affiliates, or “Medusa actors.” Ransomware is no longer the work of lone hackers but of criminal syndicates with sophisticated financial operations. Medusa operates like a corporate entity, complete with recruitment pipelines, customer support, and revenue-sharing models.
Here’s how the ecosystem works:
- Recruitment: Medusa’s developers hire affiliates on dark web forums, luring them with promises of high earnings. Affiliates must either pay an upfront fee or agree to share a percentage of ransom payments.
- Initial Access Brokers (IABs): Instead of breaching systems themselves, Medusa actors buy access from IABs—criminals who specialize in stealing login credentials, exploiting software vulnerabilities, or using phishing attacks. Prices range from $100,000 to $1 million, depending on the target’s size.
- Double Extortion: Once inside, Medusa locks the victim’s files using military-grade encryption and exfiltrates sensitive data. Victims receive a ransom note with a 48-hour deadline—either pay up or see their stolen data published online or sold to competitors.
- Ransom Negotiation: Victims must contact attackers via Tor-based live chat or Tox, an encrypted messaging platform. Some victims report receiving follow-up calls or emails from Medusa actors if they don’t respond.
Paying the ransom should, in theory, make the problem disappear. But Medusa has introduced a new level of deception—victims are often forced to pay multiple times.
In one FBI-documented case, a business paid the ransom, only to be contacted again—this time by a different Medusa actor claiming the first hacker stole the money. The company was forced to negotiate a second ransom. This tactic, known as “double dipping,” is becoming increasingly common as ransomware victims experience repeated extortion demands.
Medusa is part of a more significant trend: the cartelization of cybercrime. Groups like LockBit, BlackCat, and Royal Ransomware are no longer competing—they’re collaborating, sharing data leak sites, hacking tools, and extortion techniques. This level of organization makes ransomware harder to stop. Law enforcement agencies struggle to remove entire networks as affiliates rebrand under new names. In 2023, after law enforcement disrupted the Hive ransomware group, many of its members resurfaced as Royal Ransomware—using the same tactics under a different brand.
Medusa is just the beginning. The cybercrime economy is evolving, and without aggressive countermeasures, the digital hostage crisis will only worsen.