Microsoft has raised serious concerns over a rapidly evolving ransomware campaign driven by a financially motivated threat group known as Storm-1175. Notably, this group has been executing high-speed attacks that specifically target vulnerable, internet-facing systems, ultimately deploying Medusa ransomware to cripple organizations.
What sets Storm-1175 apart, however, is its speed and precision. In many cases, attackers move from initial access to full system compromise in less than 24 hours. Consequently, organizations have very little time to detect and respond before significant damage occurs.
Primarily, Storm-1175 focuses on exploiting what security experts call “N-day” vulnerabilities. These are flaws that have already been disclosed publicly but remain unpatched across numerous systems. By taking advantage of this narrow window, the group successfully infiltrates exposed applications such as file transfer platforms and mail servers. Even a short delay in patching can leave systems vulnerable.
According to Microsoft Threat Intelligence, researchers have been tracking Storm-1175 since 2023. During this time, they observed the group exploiting more than 16 known vulnerabilities across enterprise platforms. Furthermore, the threat has escalated as the group has now demonstrated the ability to exploit zero-day vulnerabilities—flaws that are not yet publicly disclosed.
For instance, attackers leveraged CVE-2026-23760, a SmarterMail vulnerability, a full week before it became public knowledge. Similarly, they exploited CVE-2025-10035 in Fortra’s GoAnywhere Managed File Transfer solution prior to its official disclosure. These incidents highlight the group’s advanced capabilities and proactive attack strategy.
Medusa ransomware, which operates under a Ransomware-as-a-Service (RaaS) model, plays a central role in these attacks. Affiliates like Storm-1175 use this platform to launch campaigns that employ double extortion tactics. In addition to encrypting data, attackers exfiltrate sensitive information and threaten to release it publicly unless a ransom is paid. As a result, organizations face both operational disruption and reputational damage.
Inside Storm-1175’s Attack Strategy
Once inside a network, Storm-1175 follows a structured and calculated approach. Initially, the group deploys web shells or remote access payloads to maintain persistent entry. It also creates new user accounts to ensure continued access, even if the original vulnerability is patched.
Subsequently, attackers utilize legitimate remote monitoring and management (RMM) tools, blending their activity with regular IT operations. This tactic allows them to move laterally across systems without raising immediate suspicion. At the same time, they manipulate Microsoft Defender Antivirus settings through the Windows registry, effectively weakening system defenses.
Moreover, attackers execute encoded PowerShell commands to exclude entire drives from antivirus scanning. This enables malicious files to remain undetected. Credential theft also plays a key role, as high-privilege accounts are targeted to expand control across the network.
When preparing for the final stage, Storm-1175 uses tools like Bandizip to compress stolen data and Rclone to transfer it to attacker-controlled cloud environments. Finally, PDQ Deployer distributes the ransomware payload across all accessible machines, often leveraging Group Policy updates for widespread deployment.
Security Recommendations
To mitigate such threats, Microsoft strongly advises organizations to patch internet-facing systems immediately—ideally within 72 hours of vulnerability disclosure, especially those listed in the CISA Known Exploited Vulnerabilities catalog.
Additionally, security teams should actively monitor for suspicious indicators such as credential theft, unauthorized registry changes, and unexpected user account creation. Restricting the use of RMM tools, enforcing multi-factor authentication, and auditing antivirus exclusions are also critical steps in strengthening defenses.
Recommended Cyber Technology News:
- Metazoa Launches AI-Powered Intelligent Assistant for Salesforce Snapshot Platform
- NeuBird AI Launches Autonomous Ops Agent to Prevent and Resolve IT Incidents Faster
- Cross Identity Offers VISHWAAS AI Platform to Accelerate DPDP Compliance
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
