The Microsoft security team recently reported that the Medusa ransomware group is shifting its tactics, frequently exploiting newly discovered vulnerabilities before they are publicly disclosed. The group operates with extreme speed, often completing data exfiltration and ransomware deployment within 24 hours of gaining initial access.
Attack Cycle Compressed to 24 Hours
Microsoft researchers observed that Medusa is highly efficient at identifying internet-facing systems. Once a vulnerability is identified, the group immediately exploits it to gain entry and creates new user accounts to maintain persistent access. While some attacks are completed within a single day, a typical Medusa operation spans five to six days, relying heavily on legitimate remote management tools such as ConnectWise ScreenConnect, AnyDesk, and SimpleHelp.
In its report, Microsoft highlighted two specific cases: CVE-2026-23760 (a SmarterMail vulnerability) and CVE-2025-10035 (a GoAnywhere MFT vulnerability). Medusa members began exploiting these flaws a full week before they were publicly disclosed, underscoring the high level of sophistication these attackers possess in identifying and weaponizing vulnerabilities.
"The threat actor maintains a high operational tempo and is adept at identifying exposed perimeter assets," Microsoft noted in the report. These attacks have severely impacted the healthcare, education, professional services, and financial sectors, with victims spanning organizations in Australia, the UK, and the United States.
Since emerging in 2021, the Medusa group has primarily targeted healthcare institutions and local governments. Recently, the organization claimed responsibility for disruptive attacks against Passaic County, New Jersey, and the University of Mississippi Medical Center (UMMC). Although UMMC fully restored operations on March 2 with the assistance of the FBI and the Department of Homeland Security, the incident drew significant scrutiny.
Security experts suspect the group is based in Russia, citing their activity on Russian-language forums, the presence of Cyrillic characters in their operational tools, and their deliberate avoidance of targets within the Commonwealth of Independent States (CIS). Furthermore, Symantec researchers recently discovered that the notorious North Korean hacking group "Lazarus" has also utilized Medusa ransomware in its own operations.
In response to the escalating threat landscape, Microsoft advises organizations to conduct a thorough audit of their digital footprint to defend their network perimeters, particularly as attackers increasingly weaponize new vulnerabilities almost immediately after discovery.
