A new ransomware campaign is putting organizations on high alert. A financially motivated threat group known as Storm-1175 has been running fast-paced attacks targeting vulnerable, internet-facing systems \u2014 and deploying the Medusa ransomware as the final blow. <\/p>\n
What makes this group especially dangerous is how quickly it moves: from the moment it breaks in, attackers can lock down an entire organization in as little as 24 hours.<\/a><\/p>\n Storm-1175 has built its operations around one approach \u2014 striking during the short gap between when a software flaw is publicly disclosed and when IT teams patch it. <\/p>\n Security professionals call these \u201cN-day\u201d vulnerabilities: flaws that have been announced but remain unpatched across many systems. <\/p>\n The group scans for internet-exposed applications, including file transfer tools and mail servers, still running vulnerable versions. Even a few days of exposure is enough for attackers to gain entry.<\/p>\n Microsoft Threat Intelligence analysts identified Storm-1175<\/a> as responsible for these campaigns, tracking the group since 2023. Researchers noted the group exploiting over 16 known vulnerabilities across enterprise platforms. <\/p>\n Beyond N-day exploitation, analysts confirmed Storm-1175 also developed the ability to use zero-day flaws \u2014 ones not yet publicly known. <\/p>\n In one case, the group exploited CVE-2026-23760, a SmarterMail flaw, a full week before public disclosure. Similarly, CVE-2025-10035 in Fortra\u2019s GoAnywhere Managed File Transfer was exploited one week before official announcement.<\/p>\n Medusa ransomware operates as a Ransomware-as-a-Service platform<\/a> \u2014 its developers rent tools and infrastructure to affiliates like Storm-1175. <\/p>\n Medusa uses a double extortion model: attackers encrypt victim data while stealing it, then threaten to release the files publicly if a ransom goes unpaid. <\/p>\n This puts organizations under enormous pressure, combining operational disruption with the long-term risk of data exposure. Industries that rely on internet-facing platforms face the highest risk from Storm-1175\u2019s campaigns.<\/p>\n Once Storm-1175 gets inside a target environment, the attack follows a rehearsed sequence of steps. The group first plants a web shell or drops a remote access payload \u2014 a small piece of code that allows reconnection to the compromised system at any time, even after the original flaw is patched. <\/p>\n New user accounts are also created early on to maintain a backup access path into the network.<\/p>\n From there, Storm-1175 deploys legitimate remote monitoring and management tools, blending activity into the normal traffic IT teams generate. <\/p>\n These tools allow attackers to move across internal systems without triggering security alerts. To disable defenses, the group tampers with Microsoft Defender Antivirus settings stored in the Windows registry \u2014 a step that requires highly privileged account access. <\/p>\n Attackers also use encoded PowerShell commands to add entire drives to antivirus exclusion lists, stopping security software<\/a> from scanning for malicious files. Meanwhile, credential theft targets high-privilege accounts needed to push ransomware across the entire network.<\/p>\n When ready to finish the operation, Storm-1175 uses Bandizip to package collected files and Rclone to transfer that data to remote, attacker-controlled cloud storage. <\/p>\n PDQ Deployer is then used to execute a script called\u00a0RunFileCopy.cmd<\/em>, pushing Medusa ransomware payloads to every reachable machine. <\/p>\n In some cases, the group uses elevated privileges to trigger a Group Policy update, deploying ransomware simultaneously across every system in the domain.<\/a><\/p>\n Microsoft and security researchers advise organizations to patch internet-facing systems without delay \u2014 particularly within 72 hours for any vulnerability listed in the CISA Known Exploited Vulnerabilities catalog. <\/p>\n Security teams should monitor alerts tied to credential theft<\/a>, unauthorized registry changes, and new user account creation, as these are reliable early warning signs of an active attacker. <\/p>\n Restricting RMM tools<\/a> to approved applications and enforcing multi-factor authentication on all privileged accounts are also critical steps. Teams should regularly audit antivirus exclusion paths to detect unauthorized modifications before attackers can exploit the gap.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Microsoft Warns Storm-1175 Exploits Web-Facing Assets 0-Day Flaws in Medusa Ransomware Attacks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Storm-1175](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhDmZiMubRIK963FBD3NWu0fDbpID5WwkAc_zwR1QrpFkUAHlNBDMrK-XwpNOfZ7IhyphenhyphenfXbPipws7GcgkxadviYGHVzIjNnw5qaE8QnMUI9B8hiL_TOcXZMRpdl01GfPuTFTvMSW_mwWnbfiO8aB6KnxcAfxJidiOU5vedTs22Qka8BVoJiDfQ8deHM_rKc\/s16000\/Storm-1175%2520attack%2520chain%2520%28Source%2520-%2520Microsoft%29.webp?ssl=1\")
Inside Storm-1175\u2019s Post-Compromise Playbook<\/strong><\/h2>\n