Microsoft has identified Storm-1175 as the cybercriminal group behind rapid Medusa ransomware attacks affecting organisations in the US, UK and Australia.
The financially motivated group focuses on exploiting vulnerable internet-facing systems soon after security flaws become known. In some cases, it moved from initial access to data theft and ransomware deployment within 24 hours.
The attacks have affected organisations in healthcare, education, financial services and professional services. The pattern shows how quickly ransomware operators now act in the window between vulnerability disclosure and patching.
Fast exploitation
Since 2023, Storm-1175 has exploited more than 16 vulnerabilities across products including Microsoft Exchange, PaperCut, Ivanti Connect Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail and BeyondTrust. The group often switches exploits quickly to match newly disclosed weaknesses.
One example involved a flaw in SAP NetWeaver that was exploited a day after disclosure. Microsoft has also observed the actor using zero-day exploits, including vulnerabilities abused about a week before public disclosure.
This marks a shift away from slower ransomware operations that gave defenders more time to respond. In some intrusions, Storm-1175 also chained multiple exploits to gain remote code execution and deepen access after the initial breach.
The group has targeted both Windows and Linux environments. Microsoft also identified attacks on vulnerable Oracle WebLogic instances, although it could not determine the precise flaw used in those cases.
Inside networks
After gaining entry, Storm-1175 typically establishes persistence by creating new user accounts and adding them to administrator groups. It then carries out reconnaissance, credential theft and lateral movement before deploying ransomware across the network.
The actor frequently uses built-in administrative tools such as PowerShell and PsExec, as well as Cloudflare tunnels renamed to resemble legitimate files. In some environments, the group altered Windows Firewall settings to enable Remote Desktop where it was not already allowed.
Remote monitoring and management software has also featured heavily in the intrusions. Microsoft listed tools including Atera, Level, N-able, DWAgent, MeshAgent, ConnectWise ScreenConnect, AnyDesk and SimpleHelp as being used in post-compromise activity.
It also highlighted the use of PDQ Deployer for software distribution inside compromised environments. The tool has been used both to move through networks and to deliver ransomware payloads.
Credential theft
Storm-1175 uses Impacket and Mimikatz, alongside other methods, to obtain credentials. It has also been seen dumping LSASS credentials, changing registry settings to enable WDigest credential caching and recovering passwords from Veeam backup software.
With higher privileges, the actor has moved to domain controllers and accessed NTDS.dit files and the Security Account Manager. That level of access can give attackers a broad view of user accounts and system settings across a compromised organisation.
The group also tampers with security controls before deploying ransomware. Microsoft described cases in which antivirus settings in the registry were changed and encoded PowerShell commands were used to add the C:\ drive to antivirus exclusion paths.
Double extortion
Storm-1175 uses Medusa ransomware, which follows a double extortion model. The group often archives files with Bandizip and exfiltrates data with Rclone before encryption, allowing it to threaten public release of stolen information if victims refuse to pay.
Ransomware deployment often takes place through PDQ Deployer and, in some cases, through changes to Group Policy. Many attacks lasted five to six days, although some moved much faster.
Microsoft said the findings underline the need for organisations to closely monitor exposed internet-facing assets, isolate critical systems where possible and strengthen controls around privileged accounts, remote management tools and credential theft.
Storm-1175’s activity shows attackers are “weaponising vulnerabilities almost immediately, redefining how fast cyberattacks now unfold”, Microsoft said.
Click Here For The Original Source.
