Storm-1175 Deploys Medusa Ransomware at 'High Velocity'

THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES VULNERABILITIES & THREATS ENDPOINT SECURITY NEWS Storm-1175 Deploys Medusa Ransomware at 'High Velocity' Microsoft says the financially motivated cybercrime group has exploited N-day and zero-day vulnerabilities in campaigns predicated on speed. Rob Wright,Senior News Director,Dark Reading April 7, 2026 4 Min Read SOURCE: CARLO BOLLO VIA ALAMY STOCK PHOTO Storm-1175 actors are running up-tempo campaigns to deliver Medusa ransomware, putting pressure on organizations to patch critical vulnerabilities faster.  In a blog post on Monday, Microsoft Threat Intelligence detailed how Storm-1175, a financially motivated cybercrime group, is conducting "high velocity ransomware campaigns" that typically exploit known vulnerabilities in the sweet spot for threat actors: the time between a vulnerability's initial disclosure and the widespread adoption of the patch. Microsoft also tied the exploitation of several zero-day vulnerabilities to the group. Storm-1175's playbook appears to be predicated on speed. Attackers move quickly from vulnerability exploitation to data exfiltration and, finally, delivery of Medusa ransomware, "often within a few days and, in some cases, within 24 hours," according to Microsoft. "The threat actor's high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, United Kingdom, and United States," the blog post stated. Related:Axios Attack Shows Complex Social Engineering Is Industrialized The rapid pace of these attacks is the latest example of threat actors outpacing the typical response time for organizations to patch critical flaws. Sherrod DeGrippo, general manager of threat intelligence at Microsoft, tells Dark Reading that given Storm-1175's operational speed, "patches should be prioritized immediately upon release." Storm-1175's Exploitation of N-Days and Zero-Days Microsoft noted that Storm-1175 has rapidly exploited more than a dozen known vulnerabilities or N-days, the most recent of which is CVE-2026-1731, a critical remote code execution flaw in BeyondTrust Remote Support and older versions of the vendor's Privileged Remote Access (PRA). The vulnerability was initially disclosed Feb. 6 and quickly came under attack, with the Cybersecurity and Infrastructure Security Agency (CISA) adding it to the Known Exploited Vulnerabilities (KEV) catalog a week later. Other notable flaws exploited by Storm-1175 include CVE-2025-31161, a critical authentication bypass vulnerability in CrushFTP's file transfer software that also sparked a public disclosure dispute last spring; CVE-2024-27198, another critical authentication bypass flaw, this time affecting JetBrains' TeamCity and seeing mass exploitation just days after public disclosure in March 2024; and CVE-2023-21529, one of three Microsoft Exchange vulnerabilities disclosed in the Patch Tuesday release for February 2023 (exploitation activity for CVE-2023-21529 was not confirmed prior to Monday's blog post). Related:Blast Radius of TeamPCP Attacks Expands Amid Hacker Infighting Microsoft also connected a few zero-day vulnerabilities to Storm-1175 attacks. The most recent example is CVE-2026-23760, a critical authentication bypass vulnerability in SmarterMail that was exploited by various threat groups, including the China-linked Storm-2603.  Additionally, Storm-1175 weaponized CVE-2025-10035, a maximum-severity flaw in GoAnywhere's Managed File Transfer's (MFT) License Servlet. Microsoft noted that both CVEs were exploited about a week before public disclosure.  "While these more recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm-1175, it is worth noting that GoAnywhere MFT has previously been targeted by ransomware attackers, and that the SmarterMail vulnerability was reportedly similar to a previously disclosed flaw," the blog post stated. "These factors may have helped to facilitate subsequent zero-day exploitation activity by Storm-1175, who still primarily leverages N-day vulnerabilities." Security Solutions Tampering Microsoft Threat Intelligence detailed other facets of Storm-1175's campaigns, such as the use of remote monitoring and management (RMM) software for lateral movement, Impacket for credential dumping, and the command-line tool Rclone for data exfiltration. Related:Iran Deploys 'Pseudo-Ransomware,' Revives Pay2Key Operations One notable technique that the software giant highlighted was the group's ability to tamper with security solutions, namely Microsoft Defender Antivirus. The blog post noted that the threat actors modified the program's settings stored in Windows' registry, allowing Medusa payloads to execute.  Microsoft noted that such tampering requires an attacker to obtain access to highly privileged accounts first, which makes the credential dumping phase of Storm-1175's attack chain very critical. "For this reason, prioritizing alerts related to credential theft activity, which typically indicate an active attacker in the environment, is essential to responding to ransomware signals and preventing attackers from gaining privileged account access," Microsoft Threat Intelligence wrote in the blog post.  DeGrippo says the tampering activity prevents the security program from scanning the targeted system's C drive and allowing Medusa payloads to run without any alerts. To mitigate the threat, organizations should enable Windows Defender Antivirus' tamper protection features across the tenant and take advantage of the "DisableLocalAdminMerge" setting, which prevents threat actors from using local administrator privileges to set antivirus exclusions. Additionally, Microsoft recommended that organizations isolate Web-facing systems from the public Internet, and place any servers that must be publicly accessible behind a Web application firewall, proxy server, or DMZ. The company also urged customers to implement Windows' Credential Guard, a security feature that protects credentials stored in process memory. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Gartner IGA Voice of the Customer 2026 Access More Research Webinars Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need More Webinars You May Also Like THREAT INTELLIGENCE Pro-Iranian Actors Launch Barrage of Cyberattacks by Elizabeth Montalbano MAR 03, 2026 THREAT INTELLIGENCE 45 New Domains Linked to Salt Typhoon, UNC4841 by Elizabeth Montalbano, Contributing Writer SEP 08, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE Chinese APTs Exploit EDR 'Visibility Gap' for Cyber Espionage by Becky Bracken, Senior Editor, Dark Reading APR 14, 2025 Editor's Choice CYBERSECURITY OPERATIONS RSAC 2026: AI Dominates, But Community Remains Key to Security byKristina Beek,Rob Wright APR 2, 2026 CYBERATTACKS & DATA BREACHES Not Toying Around: Hasbro Attack May Take 'Weeks' to Remediate byNate Nelson APR 2, 2026 3 MIN READ ENDPOINT SECURITY CrowdStrike Next-Gen SIEM Can Now Ingest Microsoft Defender Telemetry byJeffrey Schwartz APR 3, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE