Storm-1175 Uses Medusa Attack Flaws

A financially motivated cybercrime group has been conducting a relentless series of Medusa ransomware attacks by exploiting both newly disclosed and previously unknown software flaws. According to a recent Microsoft report, the threat actor known as Storm-1175 has maintained a high operational tempo for three years, capitalizing on the critical period between when a vulnerability is announced and when organizations apply security patches. This strategy has led to significant intrusions, with recent campaigns heavily affecting healthcare organizations, as well as entities in education, professional services, and finance across Australia, the United Kingdom, and the United States.

Since 2023, the group has weaponized at least 16 vulnerabilities in this manner, including three zero-day flaws. One notable example is CVE-2025-10035, a critical weakness in Fortra’s GoAnywhere Managed File Transfer software, which Storm-1175 exploited a full week before its public disclosure last year. The group’s success stems from its proficiency in rapidly identifying and targeting exposed perimeter assets before defenders can respond.

Microsoft’s analysis outlines a consistent set of tactics, techniques, and procedures (TTPs) employed by this actor. After gaining initial access, often through an unpatched vulnerability, Storm-1175 typically establishes a foothold within one to six days by deploying a web shell or a remote access payload. To ensure persistence, the group creates new user accounts and adds them to local administrator groups. For reconnaissance and moving laterally across a network, the actors rotate through an array of tools. They frequently use living-off-the-land binaries (LOLBins) like PowerShell and PsExec, later establishing Cloudflare tunnels to propagate over Remote Desktop Protocol and deliver payloads to additional devices.

During post-compromise activities, Storm-1175 utilizes multiple remote monitoring and management (RMM) tools. These legitimate utilities are repurposed to create accounts, enable alternative command-and-control channels, deliver additional malware, or establish interactive remote desktop sessions. The group has also been observed using the software deployment tool PDQ Deploy to silently install applications that aid lateral movement. For credential harvesting and network propagation, the Python-based framework Impacket is sometimes deployed. In some cases, the actors directly modify Microsoft Defender Antivirus settings stored in the Windows registry to prevent the security software from blocking their final ransomware payload.

The list of software products exploited by Storm-1175 is extensive and includes widely used platforms. Microsoft notes the group has already targeted vulnerabilities in Exchange Server, PaperCut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, and JetBrains TeamCity. Other affected software includes SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, and BeyondTrust solutions.

To defend against this persistent threat, Microsoft provides several key mitigation recommendations. Organizations should first use perimeter scanning tools to gain a comprehensive understanding of their external attack surface. Ideally, web-facing systems should be isolated from the public internet behind a secure network boundary and accessed exclusively through a virtual private network (VPN). For systems that must remain connected, placing them behind a web application firewall (WAF), a reverse proxy, or a perimeter network like a DMZ is critical. Above all, maintaining rigorous patch management to rapidly remediate known vulnerabilities remains the most effective defense against groups like Storm-1175 that thrive on delay.