A prolific cybercrime group has been weaponizing n-day and zero-day exploits in high-tempo Medusa ransomware attacks over the past three years, Microsoft has revealed.
Storm-1175 is a financially motivated actor that usually exploits the window between vulnerability disclosure and patch adoption, Microsoft said in a blog post on April 6.
“The threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the UK and US,” it said.
The group has exploited at least 16 vulnerabilities in this way since 2023, including three zero-day flaws such as CVE-2025-10035. That vulnerability in GoAnywhere Managed File Transfer, was exploited one week before public disclosure last year.
Read more on Storm-1175: Microsoft: Critical GoAnywhere Bug Exploited in Medusa Ransomware Campaign
Microsoft pointed to several typical TTPs used by Storm-1175:
- The group creates a web shell or drops a remote access payload to establish an initial foothold – moving from initial access to ransomware deployment in one to six days
- It establishes persistence by creating a new user and adding that user to the administrator’s group
- It rotates various tools for reconnaissance and lateral movement, including living-off-the-land binaries (LOLBins), such as PowerShell and PsExec, followed by Cloudflare tunnels to move laterally over Remote Desktop Protocol (RDP) and deliver payloads to new devices
- It uses multiple remote monitoring and management (RMM) tools during post-compromise activity such as creating new user accounts, enabling alternative command-and-control (C2) methods, delivering additional payloads, or using as interactive remote desktop sessions
- Legitimate software deployment tool PDQ Deployer is sometimes used to silently install applications for lateral movement and payload delivery
- Python-based tool Impacket is sometimes used for lateral movement and credential dumping
- The group occasionally modifies Microsoft Defender Antivirus settings stored in the registry to prevent it blocking ransomware payloads
How to Tackle Storm-1175
Microsoft said the group has already exploited vulnerabilities in Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail and BeyondTrust.
To mitigate the threat of attack, organizations should first use perimeter scanning tools to understand the extent of their attack surface, Microsoft recommended. Web-facing systems should be isolated from the public internet with a secure network boundary and accessed only via a virtual private network (VPN).
If they must be connected, organizations should place these systems behind a web application firewall (WAF), reverse proxy, or perimeter network (aka DMZ), the report continued.
Microsoft also recommended:
- Following its ransomware guidance on credential hygiene and limiting lateral movement
- Implementing Credential Guard to protect credentials stored in process memory
- Turning on tamper protection to prevent attackers from stopping security services or using antivirus exclusions
- Removing unapproved RMM installations and adding multi-factor authentication (MFA) to approved ones
- Configuring XDR tools to prevent common attack techniques used in ransomware attacks
