Medusa ransomware group using zero-days to launch attacks within 24 hours of breach, Microsoft says

The Medusa ransomware operation is increasingly exploiting new vulnerabilities days before they are publicly disclosed, according to new research from Microsoft.

Cybersecurity experts at Microsoft published an examination of activity from the group — which recently claimed responsibility for a devastating attack on the largest hospital in Mississippi and a county in northern New Jersey. 

Microsoft said it has been alarmed to see how effective Medusa actors are, citing multiple cases where the group can move from initial access to data exfiltration and ransomware deployment within 24 hours. 

Medusa actors also make a point of targeting vulnerable web-facing systems during the window between vulnerability disclosure and widespread patch adoption.

“The threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States,” Microsoft explained. 

Incident responders have seen Medusa hackers break into systems and immediately create new user accounts to preserve their access. 

While many attacks have lasted just 24 hours, Medusa incidents typically run for five to six days and rely heavily on legitimate remote management tools like ConnectWise ScreenConnect, AnyDesk and SimpleHelp.

A Microsoft spokesperson told Recorded Future News that the incidents are part of a growing trend where ransomware attackers weaponize vulnerabilities almost immediately.

The Microsoft blog highlights two recent bugs — CVE-2026-23760 in SmarterMail and CVE-2025-10035 in GoAnywhere Managed File Transfer — as examples of Medusa actors exploiting vulnerabilities one week before public disclosure. 

The Cybersecurity and Infrastructure Security Agency (CISA) previously confirmed that CVE-2026-23760 and CVE-2025-10035 have been used in ransomware attacks. Microsoft said as ransomware attackers become more adept at identifying new vulnerabilities, it will be important for organizations to understand their digital footprint before it's too late to defend against perimeter network attacks.

Experts believe the Medusa operation is based in Russia due to its avoidance of targets in the Commonwealth of Independent States, its Russian-language forum activity and the use of Cyrillic script in operational tools.

The group, which emerged in 2021, has repeatedly shown a willingness to target healthcare facilities and municipal governments across the U.S. 

The group most recently claimed attacks on New Jersey’s Passaic County and the University of Mississippi Medical Center (UMMC). The hospital fully reopened on March 2 with the help of the FBI and Department of Homeland Security. 

Cybersecurity experts at Symantec also recently said they saw members of Lazarus — a well-known North Korean hacking operation housed within the country’s military — deploy Medusa ransomware.