Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations

Storm-1175 is a financially motivated cybercriminal actor conducting high-tempo ransomware campaigns that exploit N-day and zero-day vulnerabilities in web-facing systems. The group rapidly weaponizes recently disclosed vulnerabilities, sometimes within 24 hours of disclosure, to gain initial access. Following exploitation, Storm-1175 quickly moves to persistence, credential theft, lateral movement, and Medusa ransomware deployment—often completing the attack chain within 24-48 hours. The threat actor has exploited over 16 vulnerabilities since 2023, including multiple zero-days exploited before public disclosure. Recent campaigns have heavily impacted healthcare, education, professional services, and finance sectors in Australia, UK, and US. Mitigation requires rapid patch deployment, continuous vulnerability monitoring, network segmentation, and endpoint detection solutions to identify post-compromise activity.

The financially motivated cybercriminal threat actor Storm-1175 operates high-velocity ransomware campaigns that weaponize recently disclosed vulnerabilities to obtain initial access, exfiltrate data, and deploy Medusa ransomware. The post Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations appeared first on Microsoft Security Blog .

Storm-1175 is a financially motivated cybercriminal actor conducting high-tempo ransomware campaigns that exploit N-day and zero-day vulnerabilities in web-facing systems. The group rapidly weaponizes recently disclosed vulnerabilities, sometimes within 24 hours of disclosure, to gain initial access. Following exploitation, Storm-1175 quickly moves to persistence, credential theft, lateral movement, and Medusa ransomware deployment—often completing the attack chain within 24-48 hours. The threat actor has exploited over 16 vulnerabilities since 2023, including multiple zero-days exploited before public disclosure. Recent campaigns have heavily impacted healthcare, education, professional services, and finance sectors in Australia, UK, and US. Mitigation requires rapid patch deployment, continuous vulnerability monitoring, network segmentation, and endpoint detection solutions to identify post-compromise activity. The financially motivated cybercriminal threat actor Storm-1175 operates high-velocity ransomware campaigns that weaponize recently disclosed vulnerabilities to obtain initial access, exfiltrate data, and deploy Medusa ransomware. The post Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations appeared first on Microsoft Security Blog . In this article Storm-1175’s rapid attack chain: From initial access to impact Mitigation and protection guidance Microsoft Defender detections Indicators of compromise The financially motivated cybercriminal actor tracked by Microsoft Threat Intelligence as Storm-1175 operates high-velocity ransomware campaigns that weaponize N-days, targeting vulnerable, web-facing systems during the window between vulnerability disclosure and widespread patch adoption. Following successful exploitation, Storm-1175 rapidly moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, in some cases, within 24 hours. The threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States. The pace of Storm-1175’s campaigns is enabled by the threat actor’s consistent use of recently disclosed vulnerabilities to obtain initial access. While the threat actor typically uses N-day vulnerabilities, we have also observed Storm-1175 leveraging zero-day exploits, in some cases a full week before public vulnerability disclosure. The threat actor has also been observed chaining together multiple exploits to enable post-compromise activity. After initial access, Storm-1175 establishes persistence by creating new user accounts, deploys various tools including remote monitoring and management software for lateral movement, conducts credential theft, and tampers with security solutions before deploying ransomware throughout the compromised environment. RANSOMWARE AS A SERVICE Understanding the cybercrime gig economy › In this blog post, we delve into the attack techniques attributed to Storm-1175 over several years. While Storm-1175’s methodology aligns with the tactics, techniques, and procedures (TTPs) of many tracked ransomware actors, analysis of their post-compromise tactics provides essential insights into how organizations can harden and defend against attackers like Storm-1175, informing opportunities to disrupt attackers even if they have gained initial access to a network. Storm-1175’s rapid attack chain: From initial access to impact Exploitation of vulnerable web-facing assets Storm-1175 rapidly weaponizes recently disclosed vulnerabilities to obtain initial access. Since 2023, Microsoft Threat Intelligence has observed exploitation of over 16 vulnerabilities, including: CVE-2023-21529 (Microsoft Exchange) CVE-2023-27351 and CVE-2023-27350 (Papercut) CVE-2023-46805 and CVE-2024-21887 (Ivanti Connect Secure and Policy Secure) CVE-2024-1709 and CVE-2024-1708 (ConnectWise ScreenConnect) CVE-2024-27198 and CVE-2024-27199 (JetBrains TeamCity) CVE-2024-57726 , CVE-2024-57727 , and CVE-2024-57728 (SimpleHelp) CVE‑2025‑31161 (CrushFTP) CVE-2025-10035 (GoAnywhere MFT) CVE-2025-52691 and CVE-2026-23760 (SmarterMail) CVE-2026-1731 (BeyondTrust) Storm-1175 rotates exploits quickly during the time between disclosure and patch availability or adoption, taking advantage of the period where many organizations remain unprotected. In some cases, Storm-1175 has weaponized exploits for disclosed vulnerabilities in as little as one day, as was the case for CVE-2025-31324 impacting SAP NetWeaver: the security issue was disclosed on April 24, 2025, and we observed Storm-1175 exploitation soon after on April 25. Figure 1. Timeline of disclosure and exploitation of vulnerabilities used by Storm-1175 in campaigns In multiple intrusions, Storm-1175 has chained together exploits...