Medusa ransomware group using zero-days to launch attacks within 24 hours of breach, Microsoft says

Steven

Medusa ransomware group using zero-days to launch attacks within 24 hours of breach, Microsoft says

Summary

Microsoft researchers report that the Medusa ransomware operation is increasingly weaponising newly discovered vulnerabilities — sometimes days before public disclosure — and moving from initial access to data exfiltration and ransomware deployment in as little as 24 hours.

The group targets web-facing systems during the window between disclosure and patch adoption, has hit healthcare, education, professional services and finance in multiple countries, and commonly abuses legitimate remote management tools such as ConnectWise ScreenConnect, AnyDesk and SimpleHelp to maintain access.

Key Points

  • Medusa rapidly weaponises vulnerabilities, with some attacks happening within a week of vulnerability discovery and others within 24 hours of initial access.
  • Microsoft highlights CVE-2026-23760 (SmarterMail) and CVE-2025-10035 (GoAnywhere MFT) as examples of exploited flaws.
  • Attacks focus on exposed perimeter/web-facing assets during the patching window when organisations are most vulnerable.
  • Incidents often rely on legitimate remote-management tools, making detection and containment harder.
  • Operational tempo is high: some intrusions are resolved within 24 hours, while typical incidents last five to six days with rapid account creation to preserve access.
  • Targets include healthcare (notably the University of Mississippi Medical Center), municipal governments and other critical organisations across the US, UK and Australia.
  • Attribution points to a Russian-based operation (avoidance of CIS targets, Russian-language forum activity, Cyrillic in tooling), though elements of overlap with other threat actors have been observed.

Content summary

Microsoft’s investigation warns that Medusa’s tactics emphasise speed and perimeter discovery. The group identifies and exploits exposed services quickly, leverages legitimate admin tools to blend in, and can escalate from breach to extortion in under a day. CISA has already confirmed use of the cited CVEs in ransomware operations. The pattern heightens urgency for organisations to map their internet-facing footprint and accelerate patching and mitigation.

Context and relevance

This is part of a wider trend where ransomware operators weaponise vulnerabilities almost immediately after discovery, shrinking the effective time defenders have to respond. For sectors with critical services — especially healthcare and municipal services — the consequences are acute: operational disruption, patient and citizen impact, and complex recoveries that may need federal assistance.

Why should I read this

Quick and blunt: if you look after any internet-facing kit, this matters. Medusa moves fast — days, sometimes hours — so knowing the tactics and the CVEs being exploited saves you from being the next emergency headline. Read this to understand the urgency, what to look for (exposed services, remote-management tools) and why patching and perimeter inventory are now frontline defence.

Source

Source: https://therecord.media/medusa-ransomware-group-zero-days-microsoft