Storm-1175 Exploits 16 Vulnerabilities in High-Tempo Medusa Ransomware Attacks
Microsoft reveals that the financially motivated threat actor Storm-1175 has been conducting rapid Medusa ransomware attacks since 2023, exploiting at least 16 vulnerabilities including the zero-day CVE-2025-10035 in GoAnywhere MFT.
Microsoft has disclosed that a prolific cybercrime group, tracked as Storm-1175, has been weaponizing n-day and zero-day exploits in high-tempo Medusa ransomware attacks over the past three years. The financially motivated actor typically exploits the window between vulnerability disclosure and patch adoption, according to a blog post published on April 6. The group's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in education, professional services, and finance sectors in Australia, the UK, and the US.
Storm-1175 has exploited at least 16 vulnerabilities since 2023, including three zero-day flaws such as CVE-2025-10035 in GoAnywhere Managed File Transfer, which was exploited one week before public disclosure last year. The group targets a wide range of products, including Exchange, PaperCut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, and BeyondTrust.
Microsoft detailed several typical TTPs used by Storm-1175. The group creates a web shell or drops a remote access payload to establish an initial foothold, moving from initial access to ransomware deployment in one to six days. It establishes persistence by creating a new user and adding that user to the administrator's group. For reconnaissance and lateral movement, the group rotates various tools, including living-off-the-land binaries (LOLBins) such as PowerShell and PsExec, followed by Cloudflare tunnels to move laterally over RDP and deliver payloads to new devices.
Storm-1175 uses multiple remote monitoring and management (RMM) tools during post-compromise activity, such as creating new user accounts, enabling alternative C2 methods, delivering additional payloads, or using them as interactive remote desktop sessions. The legitimate software deployment tool PDQ Deployer is sometimes used to silently install applications for lateral movement and payload delivery. The Python-based tool Impacket is also used for lateral movement and credential dumping. Additionally, the group occasionally modifies Microsoft Defender Antivirus settings stored in the registry to prevent it from blocking ransomware payloads.
To mitigate the threat, Microsoft recommends that organizations first use perimeter scanning tools to understand their attack surface. Web-facing systems should be isolated from the public internet with a secure network boundary and accessed only via VPN. If they must be connected, organizations should place these systems behind a web application firewall (WAF), reverse proxy, or perimeter network (DMZ). Microsoft also advises following its ransomware guidance on credential hygiene and limiting lateral movement, implementing Credential Guard to protect credentials stored in process memory, turning on tamper protection to prevent attackers from stopping security services, removing unapproved RMM installations, and configuring XDR tools to prevent common attack techniques used in ransomware attacks.
The disclosure of Storm-1175's activities highlights the ongoing threat posed by financially motivated ransomware groups that rapidly exploit known vulnerabilities. The group's ability to move from initial access to ransomware deployment in as little as one day underscores the importance of timely patching and robust security monitoring. Organizations in targeted sectors should prioritize vulnerability management and implement the recommended mitigations to defend against these high-tempo attacks.