Microsoft is warning that a fast‑moving threat actor it tracks as Storm‑1175 is aggressively exploiting vulnerabilities in internet‑exposed systems to deliver Medusa ransomware in days and sometimes in under 24 hours.
Storm‑1175 is a financially motivated group known for high‑velocity ransomware operations that weaponize recently disclosed, or “N‑day”, vulnerabilities in web‑facing services.
The actor focuses heavily on the short window between public disclosure and widespread patch deployment, repeatedly hitting organizations that have not yet updated or hardened their perimeter systems.
According to Microsoft, Storm‑1175 has recently driven impactful Medusa ransomware intrusions against healthcare, education, professional services, and financial organizations in Australia, the U.K., and the U.S.
Once a target is breached, the group typically moves from initial access to data theft and ransomware deployment within a few days, and has, in some cases, completed this attack chain in about 24 hours.
Storm-1175 Exploiting Web-Facing vulnerabilities
Storm‑1175’s initial access almost always starts with exploitation of vulnerable, internet‑exposed infrastructure, including email, remote access, and IT management platforms.
Since 2023, Microsoft has tied the group to the exploitation of more than a dozen CVEs across Microsoft Exchange, PaperCut, Ivanti Connect Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, and BeyondTrust products.
While the group predominantly abuses N‑day bugs, Microsoft has also observed Storm‑1175 deploying zero‑day exploits, in some cases roughly a week before public disclosure.
Notably, exploitation of SAP NetWeaver vulnerability CVE‑2025‑31324 was seen just one day after SAP advisory publication, highlighting how quickly Storm‑1175 can operationalize new exploit code.
The actor also chains multiple vulnerabilities to enable deeper post‑compromise actions such as remote code execution, as was the case with earlier “OWASSRF” exploits against on‑premises Exchange servers.
More recently, Microsoft has seen Storm‑1175 target both Windows and Linux environments, including vulnerable Oracle WebLogic instances, broadening its potential victim pool.
After exploiting a perimeter service, Storm‑1175 typically drops a web shell or remote access payload, then creates new local accounts and promotes them to administrators to persist in the environment.
The group leans heavily on “living‑off‑the‑land” techniques, using tools like PowerShell and PsExec, and often sets up Cloudflare‑based tunnels sometimes masquerading as legitimate binaries to move laterally over Remote Desktop Protocol.
Remote monitoring and management (RMM) software is central to the group’s post‑exploitation toolkit, with Microsoft reporting abuse of Atera, Level, N‑able, DWAgent, MeshAgent, ScreenConnect, AnyDesk, and SimpleHelp for persistence, C2, and payload delivery.
For wide ransomware pushes across a network, Storm‑1175 frequently uses PDQ Deployer to silently distribute scripts and binaries to many systems at once.
For credential access, the group uses Impacket and Mimikatz to dump LSASS, toggles WDigest credential caching via the registry, and abuses tools like Task Manager to obtain password material.
With elevated credentials, it pivots to domain controllers, harvesting NTDS.dit and SAM hives to enable offline password cracking and broader domain compromise.
Medusa deployment
Before detonating Medusa payloads, Storm‑1175 tampers with security controls, modifying Microsoft Defender Antivirus registry settings and adding blanket exclusions such as excluding the entire C:\ drive to evade detection.
The group then compresses high‑value data with utilities like Bandizip and uses Rclone to exfiltrate bulk datasets to attacker‑controlled cloud storage, supporting Medusa’s double‑extortion model via its leak site.
With sufficient access established, Storm‑1175 commonly triggers Medusa ransomware deployment via PDQ Deployer scripts or Group Policy updates, encrypting systems across the environment and leveraging stolen data to pressure victims into paying.
Microsoft’s Defender suite raises alerts across each stage from suspicious RMM activity and PsExec use, to Rclone‑based exfiltration, Defender tampering, and Medusa‑style encryption behavior enabling defenders to disrupt the kill chain if signals are triaged quickly.
Microsoft urges organizations to harden internet‑facing assets, use external attack surface management to map exposure, and aggressively patch or isolate vulnerable services that attract Storm‑1175 and other Medusa affiliates.
Recommended measures include enforcing VPN and WAF protections around any mandatory public services, enabling Credential Guard and attack surface reduction rules, and turning on tenant‑wide tamper protection to block unauthorized antivirus changes.
Enterprises should also tightly control and monitor RMM tools, enforce MFA on approved remote access, and investigate any rogue RMM installations as potential hands‑on‑keyboard intrusions.
Microsoft notes that organizations using Defender XDR and Security Copilot can further automate attack disruption, quickly summarize incidents tied to Storm‑1175, and generate targeted hunting queries to detect similar high‑tempo ransomware campaigns before Medusa deployment completes.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
