In a concerning development, the threat group Storm-1175 is actively exploiting internet-facing vulnerabilities to carry out sophisticated ransomware attacks. By leveraging known software flaws, the group deploys Medusa ransomware, threatening organizations with both data encryption and exposure. This latest campaign has put cybersecurity experts on high alert.
Rapid and Strategic Attacks
Storm-1175 is notorious for its swift operations, often locking down entire networks within just 24 hours of infiltration. The group specializes in exploiting N-day vulnerabilities, which are flaws already disclosed but not yet patched by systems administrators. This strategy allows them to target internet-exposed applications such as file transfer tools and mail servers that remain vulnerable.
Microsoft’s Threat Intelligence team has been monitoring Storm-1175 since 2023, identifying its involvement in exploiting over 16 known vulnerabilities across various enterprise platforms. This includes the use of zero-day flaws, which are vulnerabilities not publicly disclosed when first exploited.
Exploiting Zero-Day Vulnerabilities
In addition to N-day exploits, Storm-1175 has demonstrated the ability to utilize zero-day vulnerabilities. For instance, they exploited a vulnerability in SmarterMail (CVE-2026-23760) and Fortra’s GoAnywhere Managed File Transfer (CVE-2025-10035) a week before these flaws were publicly announced. Such tactics provide the group with a significant advantage over unprepared organizations.
Medusa ransomware, a Ransomware-as-a-Service platform, is the tool of choice for Storm-1175. It combines data encryption with a double extortion model, threatening victims with public data release if ransoms are not paid. This approach places immense pressure on industries heavily dependent on internet-facing systems.
Post-Compromise Operations
Once inside a network, Storm-1175 executes a well-rehearsed attack sequence. The group often deploys web shells or remote access payloads to maintain connectivity, even after vulnerabilities are patched. They create new user accounts to ensure ongoing access and employ legitimate remote management tools to avoid detection.
To disable security defenses, Storm-1175 manipulates Microsoft Defender settings and uses encoded PowerShell commands to exclude malicious files from antivirus scans. Credential theft is also a critical component, allowing the attackers to escalate privileges and spread ransomware across networks efficiently.
In the final stages, they use tools like Bandizip for data packaging and Rclone for transferring files to cloud storage under their control. PDQ Deployer then executes scripts that push Medusa ransomware payloads across all affected systems.
Defense and Prevention Measures
To combat these threats, Microsoft and security experts urge organizations to patch vulnerabilities in internet-facing systems promptly, ideally within 72 hours of disclosure. Monitoring for signs of credential theft, unauthorized registry changes, and new user accounts is crucial for early detection. Limiting remote management tool usage and enforcing multi-factor authentication on privileged accounts are also recommended. Regularly auditing antivirus exclusion paths can prevent unauthorized modifications from creating exploitable gaps.
Stay informed by following updates on platforms like Google News, LinkedIn, and X, and ensure that cybersecurity remains a top priority for your organization.
