Spearwing

Spearwing is a cybercrime group attributed as the operator of the Medusa ransomware-as-a-service (RaaS) program, which emerged in 2023. Medusa is described as a commercially operated extortion platform in which affiliates deploy the ransomware in exchange for a share of ransom payments. Reporting in the provided content states that Spearwing has been tied to more than 350 attacks, with leak-site reporting ranging from more than 366 claimed victims to almost 400 listed victims, and some reporting citing more than 500 claimed organizations. The operation uses double extortion, stealing data before encrypting systems and threatening publication on a leak site if victims do not pay. The provided content describes Medusa/Spearwing tradecraft as including initial access through exploitation of unpatched public-facing applications, especially Microsoft Exchange, and in some cases hijacked legitimate accounts or possible initial access brokers. Observed tooling and techniques associated with Medusa intrusions include use of legitimate remote access and administration tools such as SimpleHelp, AnyDesk, Mesh Agent, and PDQ Deploy; BYOVD techniques, often using KillAV and vulnerable drivers, to disable security software; RoboCopy and Rclone for collection and exfiltration; Navicat for database access; and network scanning tools such as SoftPerfect Network Scanner. Medusa deployments append a .medusa extension and drop the ransom note !READ_ME_MEDUSA!!!.txt. Reported ransom demands range from $100,000 to $15 million, with one reporting period citing an average demand of $260,000. The content also states that North Korea-linked Lazarus operators have used Medusa as affiliates, including attacks against a Middle East target and attempted or observed activity against U.S. healthcare and non-profit organizations. Known alias information directly provided in the content for this threat actor is limited to Spearwing itself.