HOMETHREATSMedusa Group
APT / THREAT GROUP

Medusa Group

Limited data

Intelligence Profile

[Medusa Group](https://attack.mitre.org/groups/G1051) has been active since at least 2021 and was initially operated as a closed ransomware group before evolving into a Ransomware-as-a-Service (RaaS) operation. Some reporting indicates that certain attacks may still be conducted directly by the ransomware’s core developers. Public sources have also referred to the group as “Spearwing” or “Medusa Actors.” (Citation: CISA Medusa Group Medusa Ransomware March 2025) (Citation: Broadcom Medusa Ransomware Medusa Group March 2025) [Medusa Group](https://attack.mitre.org/groups/G1051) employs living-off-the-land techniques, frequently leveraging publicly available tools and common remote management software to conduct operations. The group engages in double extortion tactics, exfiltrating data prior to encryption and threatening to publish stolen information if ransom demands are not met. (Citation: Security Scorecard Medusa Ransomware January 2024) For initial access, [Medusa Group](https://attack.mitre.org/groups/G1051) has exploited publicly known vulnerabilities, conducted phishing campaigns, and used credentials or access purchased from Initial Access Brokers (IABs). The group is opportunistic and has targeted a wide range of sectors globally. (Citation: Intel471 Medusa Ransomware May 2025)

Threat Analysis

Medusa Group is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.

Quick Facts

TypeAPT / Threat Group

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.
Medusa Group — APT / Threat Group | Threat Intelligence | CTIWATCH.COM