Medusa Ransomware Deployment Tied to Recent Vulnerability Exploitation
Medusa Ransomware Deployment Linked to Storm-1175 Group
A high-profile cybercriminal outfit known as Storm-1175 has been rapidly deploying Medusa ransomware attacks following the disclosure of previously unknown security flaws.
Surge in Attacks Leveraging ‘N-Day’ Vulnerabilities
Researchers have pinpointed a surge in attacks leveraging “N-day” vulnerabilities – publicly recognized weaknesses that have yet to be addressed by affected systems. These vulnerabilities include those affecting SAP NetWeaver systems, where the flaw tracked as CVE-2025-31324 was disclosed on April 24, 2025, only to see immediate exploitation via Medusa ransomware on April 25.
Tactics Used by Storm-1175
The investigation revealed that Storm-1175 targeted organizations connected to the public internet through vulnerable perimeter systems that had not received essential security updates. Further analysis uncovered over 16 different vulnerabilities exploited since 2023, encompassing software vulnerabilities such as Papercut and JetBrains TeamCity. Moreover, the group utilized zero-day exploits, exemplified by an attack on SmarterMail in early 2026, executed prior to the vulnerability being publicly known.
Security Experts’ Recommendations
Security professionals caution that this accelerated pace represents a significant shift in cyberattack strategies, characterized by rapid progression from initial access to data extraction within mere hours instead of days. To counter these evolving threats, security experts recommend hastening patching procedures and integrating robust security features, such as tamper protection, into organizational frameworks. Furthermore, prompt validation and dissemination of patches can help mitigate potential vulnerabilities and prevent future attacks by Storm-1175 or other similar groups.
About Author
English