Medusa Ransomware Deployed by Storm-1175 Exploit within 24 Hours after Vulnerability Disclosed
High-Speed Medusa Ransomware Operations Uncovered: Storm-1175 Exploits Security Flaws Within 24 Hours
Microsoft researchers have discovered a rapidly evolving group, Storm-1175, utilizing high-speed Medusa ransomware attacks on healthcare and educational institutions in the UK, US, and Australia.
These attacks capitalize on security vulnerabilities in a matter of hours following the disclosure of the flaw. The group specifically targets unpatched perimeter assets, systems, and devices connecting a company’s private network to the public internet.
Sectors Affected:
- Schools
- Law Firms
- Hospitals
This efficient approach has resulted in significant disruptions across various sectors, with schools, law firms, and hospitals among those affected.
Exploiting Vulnerabilities:
- Papercut (CVE-2023-27351)
- JetBrains TeamCity (CVE-2024-27198)
- SmarterMail (CVE-2026-23760)
Researchers have identified multiple instances where Storm-1175 exploited software vulnerabilities, which they accessed a full week prior to its public disclosure.
Tactics Used by Storm-1175:
- Disseminating ransomware across entire networks
- Stealing sensitive files
The group employs various tools, such as PDQ Deployer, Rclone, and Bandizip, to disseminate the ransomware across entire networks and steal sensitive files.
Experts advise companies to prioritize rapid patch implementation and utilize features like Tamper Protection to prevent unauthorized modifications to the antivirus settings.
This proactive approach will help mitigate the risk posed by Storm-1175 and similar advanced threat actors.