Patch Now or Pay Up: Medusa Ransomware Exploiting Fortra GoAnywhere MFT Zero-Day for Massive Data Theft    

Chapter 1: The Race Against Time — Fortra Releases Emergency Patch

Following our **previous alerts** on the active exploitation of a zero-day in GoAnywhere MFT, the vendor, Fortra, has released an emergency security patch for the critical RCE vulnerability, **CVE-2025-10035**. This is not a moment for relief; it is the start of a race. The **Medusa ransomware** group is continuing to use automated scanners to find and exploit every unpatched, internet-facing server. Your patching window is not measured in days; it is measured in hours. The choice is stark: patch now, or prepare to pay up.

Chapter 2: Threat Recap — The Medusa Ransomware Kill Chain

The Medusa group's attack is swift and devastating. They are exploiting the unauthenticated RCE to gain an initial foothold. From there, their post-exploitation playbook is ruthlessly efficient: they deploy Cobalt Strike for C2, use tools like Mimikatz to dump credentials, move laterally to your domain controllers, exfiltrate your most sensitive data, and only then do they deploy the ransomware payload to encrypt your entire network.

Chapter 3: The Defender's Playbook — The 3-Step Emergency Response Protocol

Your incident response must be immediate and decisive.

Step 1: PATCH IMMEDIATELY

This is your highest and most urgent priority. Apply the emergency security patch from Fortra to all of your GoAnywhere MFT instances without delay. If you cannot patch immediately, you must take the system completely offline or use your firewall to block all public internet access to the web interface.

Step 2: VERIFY The Patch

After deploying the patch, use your vulnerability scanner to run a new scan against the system to confirm that CVE-2025-10035 is no longer detected. Do not assume the patch worked; verify it.

Step 3: HUNT FOR COMPROMISE (Assume Breach)

You must assume your server was compromised before you could patch. Use your **EDR platform** to hunt for the "golden signal" of the initial exploit: the GoAnywhere process spawning unexpected child processes.

  ParentProcess: goanywhere.exe (or Java.exe)
  AND ProcessName IN ('cmd.exe', '/bin/sh', 'powershell.exe')
  

Chapter 4: The Strategic Takeaway — The 'Assume Breach' Mandate

The release of a patch for a zero-day is not the end of an incident; it is the beginning. For every CISO, the new mandate is **"Assume Breach."** Patching closes the front door, but it does nothing to remove an attacker who is already living in your house. The release of a patch must trigger an immediate and aggressive internal threat hunt.

This incident is another powerful lesson in the fragility of internet-facing enterprise applications. A resilient security program is one that is built not just on prevention, but on a powerful detection and response capability that can find and eradicate an attacker *after* they have bypassed your perimeter. For a full breakdown of this modern approach, see our **CISO's Blueprint to Incident Response**.