Cyber - Threat Feathers Ruffled By The " Spearwing " RaaS Group.
With 400 Victims And Astronomically Large Ransom Demands, The Organization Is Utilizing The Medusa Malware And Occupying Area Previously Occupied By Other Well - Known Ransomware Outfits Like Lock it.
A threat group called " Spearwing," which has accumulated hundreds of victims since 2023 - nearly 400 have been mentioned on their leak site is increasingly using Medusa ransomware attacks as a key technique. According to symantec's threat hunter team, the ransom demands made by Medusa ransomware range from $15 million.
According to symantec's analysts, Spearwing is anxious to establish a reputation for itself with it's steadily rising activity by exploiting the void in the ransomware market created by the demise of organizations like Noberus and Lock it. Like many ransomware operators, Spearwing and it's accomplices use double extortion attacks and data theft prior to network encryption to increase pressure on the victim to pay a ransom.
By taken advantage of unpatched flaws in publicly accessible software, particularly Microsoft Exchange Servers, the gang is able to access the networks of it's victims. Once within a victim network, the attackers usually download several programs for lateral movement, such as AnyDesk, KillAVDriver, KillAV, Mesh agent, Navicat, Netscan,PDQ Deploy, PDQ Inventory, Simple Help, RClone, and Robocopy, using remote management and monitoring software.
A ransom letter called "!Read_ME_MEDUSA!!!txt" is thrown onto the encrypted computer after the encrypted files have been modified to include the Medusa extension. The victim is often given 10 days to pay the ransom, with an extra $ 10,000 added each day if the deadline is prolonged. Spearwing ransom demands vary according on the victim. The stolen data is posted on the group's leak website if the ransom is not paid.
SPEARWING: IS IT A RaaS GANG ?
Regarding spearwing's operations, the researchers do have some queries. " The consistency of the TTPS used in Medusa attacks does raise the question as to whether Spearwing is truly operating as a RaaS," stated the investigators. The group conducting the assaults and creating the ransomware itself, or the gang collaborating with a limited number of associates, could be the reason for the similarity in the tactics employed.
According to the researchers, it's also possible that Spearwing gives affiliates the ransomware along with a playbook on how to execute attacks and which attack chain to employ. The gang " doesn't necessarily operate as a 'typical' RaaS that works with a lot of affiliates who may use varying TTPS," they found, while any of these explanations could be true.
