Storm-1175 actors are running up-tempo campaigns to deliver Medusa ransomware, putting pressure on organizations to patch critical vulnerabilities faster.
In a blog post on Monday, Microsoft Threat Intelligence detailed how Storm-1175, a financially motivated cybercrime group, is conducting “high velocity ransomware campaigns” that typically exploit known vulnerabilities in the sweet spot for threat actors: the time between a vulnerability’s initial disclosure and the widespread adoption of the patch. Microsoft also tied the exploitation of several zero-day vulnerabilities to the group.
Storm-1175’s playbook appears to be predicated on speed. Attackers move quickly from vulnerability exploitation to data exfiltration and, finally, delivery of Medusa ransomware, “often within a few days and, in some cases, within 24 hours,” according to Microsoft.
“The threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States,” the blog post stated.
The rapid pace of these attacks is the latest example of threat actors outpacing the typical response time for organizations to patch critical flaws. Sherrod DeGrippo, general manager of threat intelligence at Microsoft, tells Dark Reading that given Storm-1175’s operational speed, “patches should be prioritized immediately upon release.”
Storm-1175’s Exploitation of N-Days and Zero-Days
Microsoft noted that Storm-1175 has rapidly exploited more than a dozen known vulnerabilities or N-days, the most recent of which is CVE-2026-1731, a critical remote code execution flaw in BeyondTrust Remote Support and older versions of the vendor’s Privileged Remote Access (PRA). The vulnerability was initially disclosed Feb. 6 and quickly came under attack, with the Cybersecurity and Infrastructure Security Agency (CISA) adding it to the Known Exploited Vulnerabilities (KEV) catalog a week later.
Other notable flaws exploited by Storm-1175 include CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP’s file transfer software that also sparked a public disclosure dispute last spring; CVE-2024-27198, another critical authentication bypass flaw, this time affecting JetBrains’ TeamCity and seeing mass exploitation just days after public disclosure in March 2024; and CVE-2023-21529, one of three Microsoft Exchange vulnerabilities disclosed in the Patch Tuesday release for February 2023 (exploitation activity for CVE-2023-21529 was not confirmed prior to Monday’s blog post).
Microsoft also connected a few zero-day vulnerabilities to Storm-1175 attacks. The most recent example is CVE-2026-23760, a critical authentication bypass vulnerability in SmarterMail that was exploited by various threat groups, including the China-linked Storm-2603.
Additionally, Storm-1175 weaponized CVE-2025-10035, a maximum-severity flaw in GoAnywhere’s Managed File Transfer’s (MFT) License Servlet. Microsoft noted that both CVEs were exploited about a week before public disclosure.
“While these more recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm-1175, it is worth noting that GoAnywhere MFT has previously been targeted by ransomware attackers, and that the SmarterMail vulnerability was reportedly similar to a previously disclosed flaw,” the blog post stated. “These factors may have helped to facilitate subsequent zero-day exploitation activity by Storm-1175, who still primarily leverages N-day vulnerabilities.”
Security Solutions Tampering
Microsoft Threat Intelligence detailed other facets of Storm-1175’s campaigns, such as the use of remote monitoring and management (RMM) software for lateral movement, Impacket for credential dumping, and the command-line tool Rclone for data exfiltration.
One notable technique that the software giant highlighted was the group’s ability to tamper with security solutions, namely Microsoft Defender Antivirus. The blog post noted that the threat actors modified the program’s settings stored in Windows’ registry, allowing Medusa payloads to execute.
Microsoft noted that such tampering requires an attacker to obtain access to highly privileged accounts first, which makes the credential dumping phase of Storm-1175’s attack chain very critical. “For this reason, prioritizing alerts related to credential theft activity, which typically indicate an active attacker in the environment, is essential to responding to ransomware signals and preventing attackers from gaining privileged account access,” Microsoft Threat Intelligence wrote in the blog post.
DeGrippo says the tampering activity prevents the security program from scanning the targeted system’s C drive and allowing Medusa payloads to run without any alerts. To mitigate the threat, organizations should enable Windows Defender Antivirus’ tamper protection features across the tenant and take advantage of the “DisableLocalAdminMerge” setting, which prevents threat actors from using local administrator privileges to set antivirus exclusions.
Additionally, Microsoft recommended that organizations isolate Web-facing systems from the public Internet, and place any servers that must be publicly accessible behind a Web application firewall, proxy server, or DMZ. The company also urged customers to implement Windows’ Credential Guard, a security feature that protects credentials stored in process memory.
