The Medusa ransomware group, identified as a fast-moving cyber threat, is exploiting vulnerabilities to target multiple sectors, according to a recent Microsoft report. Medusa operates as a ransomware-as-a-service (RaaS) and has affected over 300 organizations in critical infrastructure areas by early 2025.
Medusa’s Rapid Exploitation Tactics
Medusa has been active since June 2021, employing double extortion tactics by stealing and encrypting victims’ data. Initial access is often gained through phishing and exploiting unpatched vulnerabilities. The group, tracked by Microsoft as Storm-1175, is known for its swift post-compromise operations, sometimes completing attacks within hours.
The group is also adept at weaponizing newly disclosed vulnerabilities and exploiting zero-day bugs in web-facing systems. Their high operational speed has significantly impacted sectors such as healthcare, education, professional services, and finance in regions including Australia, the UK, and the US.
Exploited Vulnerabilities and Attack Methods
Over the past three years, Medusa has exploited at least 16 vulnerabilities across various platforms like Microsoft Exchange and SAP NetWeaver. The group was noted for exploiting the NetWeaver bug just a day after its public disclosure in April 2025, demonstrating their rapid response to new vulnerabilities.
In their campaigns, Medusa uses a combination of techniques to achieve remote code execution on victim systems, including targeting Linux systems such as Oracle WebLogic instances. They have exploited multiple zero-day vulnerabilities, sometimes even before public disclosures.
Implications for Targeted Sectors
Once initial access is gained, Medusa typically deploys web shells or remote access payloads, quickly moving to data exfiltration and ransomware deployment. The group establishes persistence, conducts reconnaissance, modifies firewall settings, and exfiltrates credentials.
Microsoft observed that after obtaining administrator credentials, Medusa used scripts to extract passwords from Veeam backup software, facilitating ransomware deployment across connected systems. They utilize various tools for lateral movement and data exfiltration, including PowerShell, PsExec, and Cloudflare tunnels.
Experts urge organizations to rigorously monitor and inventory their systems to mitigate these threats. The speed and efficiency of Medusa’s campaigns pose significant challenges, particularly for sectors with low tolerance for downtime, like healthcare and finance.
As Piyush Sharma, Tuskira co-founder, and Pete Luban, AttackIQ CISO, emphasize, organizations must proactively identify and secure exploitable assets to reduce risks associated with Medusa’s aggressive tactics.
Overall, Medusa’s ability to swiftly exploit vulnerabilities and apply pressure through double extortion tactics underscores the need for vigilant cybersecurity practices across all sectors.
