Introduction
Ransomware attacks continue to represent one of the most tangible threats to businesses, hospitals, and public institutions worldwide. When cybercriminals manage to exploit software flaws before they are patched, the consequences can be swift and devastating. This is exactly what is happening with the campaigns linked to the Medusa ransomware, confirmed by Microsoft Threat Intelligence.
What Happened
Microsoft Threat Intelligence has identified a criminal group known as Storm-1175, based in China and financially motivated, as responsible for a series of high-intensity cyberattacks distributing the Medusa ransomware. Ransomware is a type of malicious software that encrypts victims’ data and demands a ransom to restore access.
What makes this group particularly dangerous is its speed of action: once initial access to a system is obtained, Storm-1175 is capable of deploying ransomware within a timeframe ranging from 24 hours to six days. This extremely short window leaves little room for targeted organizations to react.
The group has exploited vulnerabilities found in widely used software, including GoAnywhere MFT and SmarterMail, as well as other flaws in broadly adopted products. In total, Storm-1175 has exploited over 16 vulnerabilities across 10 different software products. The sectors affected include healthcare, education, professional services, and finance, with documented attacks in Australia, the United Kingdom, and the United States.
In March 2025, CISA, the U.S. federal cybersecurity agency, issued a joint advisory reporting that attacks linked to the Medusa ransomware have already struck more than 300 critical infrastructure organizations in the United States.
Why It Matters and What the Potential Impact Is
The speed with which Storm-1175 moves from initial access to ransomware deployment drastically reduces the intervention window available to security teams. Hospitals, educational institutions, and financial sector companies hold sensitive data and often rely on complex systems that are not always up to date, making them vulnerable targets. A successful ransomware attack can disrupt essential services, expose confidential data, and result in significant costs.
What Businesses and Users Can Do
The first concrete measure is to update software promptly, applying security patches as soon as they become available. Organizations should also regularly audit which systems are exposed to the internet and limit that exposure where possible. It is advisable to maintain backup copies of critical data in isolated environments and to train staff to recognize signs of unauthorized access.
Final Takeaways
- Storm-1175 exploits known and zero-day vulnerabilities to deploy ransomware very quickly, often within days of initial access.
- More than 300 critical infrastructure organizations in the United States have already been hit by Medusa-related campaigns, according to CISA.
- Keeping software updated and reducing systems’ exposure to the internet remains the most effective and immediate defense.
Sources:
https://www.bleepingcomputer.com/news/security/microsoft-links-medusa-ransomware-affiliate-to-zero-day-attacks/
https://technochat.in/microsoft-links-medusa-ransomware-affiliate-to-zero-day-exploitation-campaign/
https://securityaffairs.com/183075/hacking/goanywhere-mft-zero-day-used-by-storm-1175-in-medusa-ransomware-campaigns.html
https://www.microsoft.com/en-us/security/blog/2026/04/06/storm-1175-focuses-gaze-on-vulnerable-web-facing-assets-in-high-tempo-medusa-ransomware-operations/
Source: Original article