THE Medusa ransomware group, operating as a ransomware-as-a-service, has been noted for a high tempo of operations, moving from initial access to post‑compromise activity often within days or hours. According to Microsoft, Medusa has hit over 300 organisations in the critical infrastructure sector and has heavily affected healthcare, education, professional services and finance across Australia, the United Kingdom and the United States.
The group has exploited at least 16 vulnerabilities across products including Microsoft Exchange, SmarterMail and GoAnywhere MFT, with Storm-1175 weaponising newly disclosed flaws and, in some cases, using zero‑day bugs in web‑facing systems. Notably, Storm-1175 was seen exploiting the NetWeaver bug one day after it was publicly disclosed on 24 April 2025, and it has leveraged remote code execution through chained security defects on both Windows and Linux systems, including Oracle WebLogic.
In its operations, the group deploys web shells or remote access payloads before data exfiltration and ransomware encryption within a day, and has been observed using living-off-the-land tools such as PowerShell, PsExec and Mimikatz, alongside Cloudflare tunnels and RDP.