Medusa Ransomware Exploits Zero‑Day Vulnerabilities to Hit Healthcare, Education, Finance Sectors Within 24 Hours
What Happened — Microsoft research shows the Medusa ransomware group is weaponising newly disclosed zero‑day flaws, moving from initial access to data exfiltration and ransomware deployment in under 24 hours. The group has already struck a major Mississippi hospital, a New Jersey county, and multiple organizations in Australia, the United Kingdom, and the United States.
Why It Matters for TPRM —
- Zero‑day exploitation shortens the window for vendors to apply patches, increasing third‑party risk.
- Rapid ransomware deployment can disrupt critical services and expose sensitive data before contracts or SLAs can be invoked.
- The group’s reliance on legitimate remote‑management tools (e.g., ConnectWise ScreenConnect, AnyDesk) blurs the line between legitimate vendor activity and malicious access.
Who Is Affected — Healthcare providers, university medical centers, K‑12 and higher‑education institutions, financial services firms, professional‑services consultancies, and municipal governments.
Recommended Actions —
- Conduct an immediate inventory of all web‑facing assets and remote‑management tools used by third‑party vendors.
- Accelerate patch‑management cycles for any disclosed CVEs, especially those listed by CISA (e.g., CVE‑2026‑23760, CVE‑2025‑10035).
- Enforce multi‑factor authentication and strict least‑privilege for any vendor‑created accounts.
- Review and tighten network segmentation to isolate critical systems from internet‑exposed services.
Technical Notes — Medusa leverages vulnerability exploits (CVE‑2026‑23760 in SmarterMail, CVE‑2025‑10035 in GoAnywhere MFT) within days of disclosure, then pivots using legitimate remote‑desktop tools to maintain persistence. Data exfiltration and ransomware encryption typically occur within 24 hours, with incidents lasting 5‑6 days. Source: The Record