Medusa Ransomware Attack

Byadmblake April 11, 2026

What is the Attack? Microsoft Threat Intelligence has identified Storm-1175, a financially motivated threat actor conducting high-tempo ransomware operations leveraging the Medusa ransomware variant. The group specializes in rapidly exploiting vulnerable web-facing systems, often weaponizing newly disclosed vulnerabilities (N-days) and even zero-days before public disclosure. Storm-1175 | Medusa ransomware operations | Microsoft Security Blog A…

What is the Attack?

Microsoft Threat Intelligence has identified Storm-1175, a financially motivated threat actor conducting high-tempo ransomware operations leveraging the Medusa ransomware variant. The group specializes in rapidly exploiting vulnerable web-facing systems, often weaponizing newly disclosed vulnerabilities (N-days) and even zero-days before public disclosure.

Storm-1175 | Medusa ransomware operations | Microsoft Security Blog

A defining characteristic of this campaign is speed; attackers can move from initial access to full ransomware deployment within 24 hours, significantly reducing detection and response windows.

• Observed targeting includes:

Healthcare

Education

Financial services

Professional services

• Primary regions impacted:

United States

United Kingdom

Australia

What is the recommended Mitigation?

• Patch immediately: Prioritize newly disclosed vulnerabilities affecting internet-facing systems

• Reduce attack surface: Restrict or isolate exposed services and admin interfaces

• Monitor RMM usage: Detect abnormal use of tools like AnyDesk, ScreenConnect, or similar

• Harden identity security: Enforce MFA and monitor for anomalous account creation

• Enhance detection: Focus on early indicators such as unusual authentication, privilege escalation, and data movement

What FortiGuard Coverage is available?

• FortiGuard IPS Service: Detects and blocks exploit attempts targeting vulnerable web-facing assets.

• FortiGuard Antivirus & Behavior Detection: Identifies Medusa ransomware and suspicious post-exploitation activity.

• FortiGuard Labs Threat Intelligence: Continuously tracks Storm-1175 activity, emerging CVEs, and IOCs.

• FortiGuard Incident Response: Provides rapid containment, forensic investigation, and recovery support for impacted organizations.

Medusa Ransomware Attack

Shadow#Reactor Uses Text Files to Deliver Remcos RAT

Google Chrome to Distrust Two Certificate Authorities Over Compliance and Conduct Issues

Sophos Emergency Incident Response is now available

Copilot’s No-Code AI Agents Liable to Leak Company Data

Advancing Cybersecurity for Microsoft Environments

How to Rein in Identity Session Security Risk With CAEP

Related