Storm-1175 turns patch gaps into rapid Medusa ransomware intrusions

Storm-1175 turns patch gaps into rapid Medusa ransomware intrusions

Storm-1175 is a financially motivated threat actor that Microsoft says has been using newly disclosed vulnerabilities in internet-exposed software to land inside victim networks and push Medusa ransomware, sometimes within 24 hours of initial access. The report, published on April 6, 2026, ties the group to a fast-moving intrusion pattern that blends N-day exploitation, occasional zero-day use, credential theft, lateral movement, security tampering, and data exfiltration.

For defenders, the key point is speed. This is not just a ransomware story, it is a perimeter exposure story. If a web-facing system is vulnerable and still reachable, Storm-1175 appears able to turn that gap into a full ransomware event before many organizations finish triage.

What happened?

• April 6, 2026: Microsoft published a threat intelligence report describing Storm-1175 as a high-tempo operator linked to Medusa ransomware deployments.
• Microsoft says the actor has exploited more than 16 vulnerabilities across widely deployed enterprise products including Exchange, Ivanti, ScreenConnect, TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, and BeyondTrust.
• In some cases, Microsoft says Storm-1175 weaponized disclosed flaws within one day of disclosure and, in at least two cases, exploited vulnerabilities roughly a week before public disclosure.
• Microsoft and BleepingComputer highlighted recent zero-day use involving CVE-2025-10035 in GoAnywhere MFT and CVE-2026-23760 in SmarterMail.
• Microsoft says the actor has also chained exploits for post-compromise execution, including the old Exchange OWASSRF path combining CVE-2022-41080 and CVE-2022-41082.

Some underlying intrusion counts remain unconfirmed publicly, but Microsoft says recent activity has heavily affected healthcare, education, professional services, and finance organizations in Australia, the United Kingdom, and the United States.

Who is affected?

The most exposed organizations are those with vulnerable, internet-facing business software that sits close to identity, file transfer, email, remote support, or administrative workflows. Based on Microsoft's reporting, the practical risk is highest for teams running:

• externally reachable web applications without fast patching
• file transfer or collaboration systems with privileged internal reach
• remote management tools that can be repurposed after compromise
• flat environments where weak network segmentation allows a perimeter foothold to spread quickly

Even if your organization is not named in the reporting, the pattern is broadly relevant because Storm-1175 is targeting common enterprise platforms rather than a niche technology stack.

Initial access and kill chain

Microsoft's reporting outlines a consistent operational chain:

1. Initial access: exploit a recent vulnerability in a web-facing system.
2. Persistence: drop a web shell or remote access payload, then create a new local admin account.
3. Execution and pivoting: use PowerShell, PsExec, Cloudflare tunnels, RMM tools, and PDQ Deployer to move across the environment.
4. Credential access: dump LSASS, enable WDigest caching, recover stored secrets, and pull backup credentials where available.
5. Defense evasion: weaken antivirus settings, add exclusions, and tamper with protective controls.
6. Actions on objectives: compress and exfiltrate data, then deploy Medusa ransomware broadly.

This matters because the group appears optimized for operational throughput. The exploit is only the opener. The real risk comes from how quickly the actor converts one exposed service into privileged reach across the network.

MITRE ATT&CK-aligned view

• Initial Access: Exploit Public-Facing Application (T1190)
• Persistence: Create Account (T1136)
• Execution: PowerShell (T1059.001)
• Credential Access: OS Credential Dumping (T1003)
• Lateral Movement: PsExec (T1569.002 / admin tooling abuse), Remote Services (T1021)
• Defense Evasion: Impair Defenses (T1562)
• Exfiltration: Exfiltration to Cloud Storage (T1567)
• Impact: Data Encrypted for Impact (T1486)

Indicators and detection priorities

Defenders should focus less on a single IOC set and more on a recognizable behavior chain.

EDR and host telemetry

• New local administrator account creation on servers that normally do not change often
• PowerShell commands modifying Defender exclusions or firewall rules
• LSASS access, dumping behavior, or suspicious Task Manager use on servers
• RMM binaries appearing on systems where they are not part of standard administration

Identity and authentication

• New privileged account creation soon after exploitation alerts
• Unusual authentication from newly created local admins
• Backup software credential use outside expected admin workflows

Network and proxy telemetry

• Sudden outbound transfers to cloud storage or sync services
• Unusual RDP enablement followed by east-west connections
• Cloudflare tunnel processes renamed to resemble legitimate binaries

Example Splunk SPL pattern

splCopy
(index=wineventlog OR index=sysmon)
((EventCode=4720 OR EventCode=4732) OR CommandLine="*Add-MpPreference*" OR CommandLine="*netsh advfirewall*" OR TargetImage="*lsass.exe*")
| stats count values(CommandLine) values(TargetUserName) by host, user

This is an example hunting pattern, not a product-specific detection rule.

Containment and remediation checklist

🔴 Immediate containment (0–24h)

• Identify and isolate internet-facing systems running the products named in the Microsoft report.
• Patch or remove public exposure for any vulnerable perimeter application immediately.
• Review whether recently disclosed flaws were triaged but not yet remediated.
• Hunt for newly created local admin users on exposed servers.
• Check for web shells, unexpected RMM tools, PDQ Deployer misuse, and Cloudflare tunnel binaries.
• Reset passwords and rotate keys for accounts that may have touched compromised hosts.
• Review backup infrastructure for credential exposure and unauthorized access.
• Block active exfiltration paths and preserve logs for forensics.

🟠 Hardening (24–72h)

• Move internet-facing administrative or transfer systems behind a VPN, reverse proxy, or WAF where possible.
• Enforce tighter access control around high-risk management interfaces.
• Reduce local administrator sprawl and eliminate shared admin credentials.
• Enable or verify tamper protection for endpoint defenses.
• Review ASR rules for LSASS protection and abuse of PsExec or WMI-based execution.
• Audit backup, email, and file-transfer servers for unnecessary trust relationships.

🟡 Longer-term controls (1–4 weeks)

• Tighten external attack surface management and asset inventory for all public-facing software.
• Reduce blast radius with stronger segmentation between perimeter apps, identity systems, and backup infrastructure.
• Build faster patch-to-exposure workflows for high-risk perimeter vulnerabilities.
• Test response playbooks for the first 24 hours of a ransomware intrusion.
• Map where remote support and deployment tooling can be abused and restrict it by policy.

Strategic analysis

The most important lesson from Storm-1175 is that the patch gap itself is becoming the attack window. Traditional advice tells defenders to patch quickly, but Microsoft's timeline suggests some actors are now structured around exploiting the brief period between disclosure and broad patch adoption.

That changes the response model. Teams cannot treat recent perimeter CVEs as ordinary maintenance tasks, especially when they affect email, transfer, remote support, or identity-adjacent software. Once an actor like Storm-1175 lands, the rest of the playbook looks familiar: incident response, credential containment, privileged access review, and segmentation become the difference between a contained event and a business-wide ransomware blast.

There is also a broader market signal here. Medusa's affiliate ecosystem still behaves like a classic ransomware-as-a-service model, but the front-end tradecraft is becoming more professional. Faster exploit adoption means defenders have to compress exposure discovery, patching, and compensating controls into the same window the attackers are already using.

What is Storm-1175?

Storm-1175 is Microsoft's tracking name for a financially motivated threat actor associated with high-tempo intrusions that culminate in Medusa ransomware deployment.

What makes this activity different?

Microsoft says the group repeatedly exploits newly disclosed web-facing flaws and can move from initial access to ransomware deployment in as little as 24 hours.

Which products has the group targeted?

Microsoft cited Exchange, Papercut, Ivanti, ScreenConnect, TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, and BeyondTrust among the targeted technologies.

Did Microsoft report zero-day use?

Yes. Microsoft says Storm-1175 used at least three zero-days, including recent activity involving GoAnywhere MFT and SmarterMail.

What should defenders do first?

Start by identifying exposed perimeter software, patching or isolating vulnerable systems, and hunting for admin account creation, credential dumping, and unexpected remote management tooling.

Is this only a U.S. problem?

No. Microsoft says recent intrusions impacted organizations in Australia, the United Kingdom, and the United States.

References

1. Storm-1175 focuses gaze on vulnerable web-facing assets in high-tempo Medusa ransomware operations
2. Microsoft links Medusa ransomware affiliate to zero-day attacks
3. #StopRansomware: Medusa Ransomware