Microsoft warns that the Medusa ransomware group (tracked as Storm-1175) operates as a fast-moving RaaS actor that quickly weaponizes newly disclosed and zero-day vulnerabilities to execute double-extortion attacks across healthcare, education, professional services, and finance in Australia, the UK, and the US. The group moves from initial access to data exfiltration and ransomware deployment within hours or days using phishing, web shells, living-off-the-land tools, RMM utilities, and techniques to harvest credentials and extend access; defenders are urged to continuously inventory and monitor exposed assets. #Medusa #Storm1175
Keypoints
- Medusa (Storm-1175) operates as a ransomware-as-a-service and has impacted over 300 critical infrastructure organizations.
- The group conducts double extortion by stealing data prior to encrypting victimsβ systems.
- Operators rapidly weaponize new and zero-day vulnerabilities, sometimes exploiting flaws within days or hours of disclosure.
- Initial access is gained via phishing and unpatched systems, followed by web shells, RMM tools, living-off-the-land binaries, and credential harvesting tools like Mimikatz.
- Security experts recommend continuous inventorying and monitoring of internal and external assets to detect exposed perimeter systems and reduce attack windows.
Read More: https://www.securityweek.com/medusa-ransomware-fast-to-exploit-vulnerabilities-breached-systems/