A new ransomware group, Spearwing, is quickly gaining ground, filling the void left by defunct or weakened cybercrime gangs. By leveraging the Medusa malware, the group has amassed nearly 400 victims and is demanding ransoms as high as $15 million.
A Rising Threat in the Ransomware Landscape
Cybersecurity researchers have been tracking Spearwing’s aggressive expansion since 2023. The group has rapidly increased its attacks, listing hundreds of victims on its leak site. According to Symantec’s threat hunter team, its ransom demands vary wildly—some as low as $100,000, while others stretch into the millions.
The decline of major ransomware gangs like LockBit and Noberus has left a power vacuum, and Spearwing seems eager to capitalize. The group is using Medusa to execute double extortion attacks, encrypting files while stealing data to apply pressure on victims.
One researcher put it bluntly: “They’re making a name for themselves, and they’re doing it fast.”
How Spearwing Targets Its Victims
Spearwing exploits known vulnerabilities, particularly in Microsoft Exchange Servers, to break into networks. Once inside, they deploy a series of tools to move laterally and establish control.
Some of the tools in their arsenal include:
- Remote management software like AnyDesk and Mesh Agent
- Security evasion tools such as KillAV and KillAVDriver
- File transfer utilities like Rclone and Robocopy
The attackers then encrypt files, appending a “.medusa” extension, and leave a ransom note labeled “!READ_ME_MEDUSA!!!.txt” on the victim’s system. Victims typically have 10 days to pay, with an additional $10,000 tacked on for each day they delay. If they refuse, the stolen data is published online.
Ransomware-as-a-Service or Something Else?
One of the biggest questions surrounding Spearwing is whether it operates as a Ransomware-as-a-Service (RaaS) operation or if it directly controls its attacks. Typically, RaaS groups rent out malware to affiliates who carry out attacks, often resulting in varied attack methods.
However, researchers have noticed that Medusa attacks follow a strikingly consistent pattern, suggesting:
- Spearwing may not rely on a large network of affiliates.
- The group could be developing and deploying the ransomware itself.
- It might provide affiliates with strict attack guidelines and tools.
Unlike traditional RaaS models where affiliates have more flexibility, Spearwing appears to maintain tight control. This level of consistency is unusual, leading researchers to believe the group operates in a hybrid model rather than a typical RaaS structure.
What’s Next for Spearwing?
With nearly 400 victims and ransom demands hitting the $15 million mark, Spearwing is on an upward trajectory. Security experts warn that as long as businesses continue to leave critical vulnerabilities unpatched, groups like Spearwing will thrive.
For now, the group’s tactics remain unchanged—target, encrypt, demand, repeat. But as law enforcement agencies and security firms take notice, the real question is: how long can they keep this up?
