Medusa Ransomware Attack | Stinner IT Solutions

Facebook

What is the Attack?

Microsoft Threat Intelligence has identified Storm-1175, a financially motivated threat actor conducting high-tempo ransomware operations leveraging the Medusa ransomware variant. The group specializes in rapidly exploiting vulnerable web-facing systems, often weaponizing newly disclosed vulnerabilities (N-days) and even zero-days before public disclosure.

Storm-1175 | Medusa ransomware operations | Microsoft Security Blog

A defining characteristic of this campaign is speed; attackers can move from initial access to full ransomware deployment within 24 hours, significantly reducing detection and response windows.

• Observed targeting includes:

Healthcare

Education

Financial services

Professional services

• Primary regions impacted:

United States

United Kingdom

Australia

What is the recommended Mitigation?

• Patch immediately: Prioritize newly disclosed vulnerabilities affecting internet-facing systems

• Reduce attack surface: Restrict or isolate exposed services and admin interfaces

• Monitor RMM usage: Detect abnormal use of tools like AnyDesk, ScreenConnect, or similar

• Harden identity security: Enforce MFA and monitor for anomalous account creation

• Enhance detection: Focus on early indicators such as unusual authentication, privilege escalation, and data movement

What FortiGuard Coverage is available?

• FortiGuard IPS Service: Detects and blocks exploit attempts targeting vulnerable web-facing assets.

• FortiGuard Antivirus & Behavior Detection: Identifies Medusa ransomware and suspicious post-exploitation activity.

• FortiGuard Labs Threat Intelligence: Continuously tracks Storm-1175 activity, emerging CVEs, and IOCs.

• FortiGuard Incident Response: Provides rapid containment, forensic investigation, and recovery support for impacted organizations.