Storm-1175 and Medusa ransomware: Why this matters

Microsoft Threat Intelligence has published new research on Storm-1175, a financially motivated threat actor running fast-moving Medusa ransomware campaigns. The key concern for defenders is speed: the group targets exposed web-facing systems and can move from exploitation to ransomware deployment in as little as 24 hours.

For IT and security teams, this is another reminder that internet-facing assets, delayed patching, and weak visibility across perimeter systems create a narrow window for response.

What’s new

Microsoft says Storm-1175 has exploited more than 16 vulnerabilities since 2023, focusing on the gap between public disclosure and patch adoption. Targeted technologies include:

• Microsoft Exchange
• Ivanti Connect Secure and Policy Secure
• ConnectWise ScreenConnect
• JetBrains TeamCity
• Papercut
• SimpleHelp
• CrushFTP
• GoAnywhere MFT
• SmarterMail
• BeyondTrust

Notably, Microsoft also observed the actor using some zero-day exploits, including cases where exploitation happened a week before public disclosure.

How the attack chain works

After gaining access through a vulnerable web-facing asset, Storm-1175 typically:

• Establishes persistence using a web shell or remote access payload
• Creates new local accounts and adds them to administrator groups
• Uses LOLBins such as PowerShell and PsExec
• Moves laterally with RDP, sometimes enabling it through firewall changes
• Relies on RMM tools like Atera, AnyDesk, ScreenConnect, MeshAgent, and SimpleHelp
• Uses tools such as PDQ Deployer and Impacket for payload delivery and lateral movement
• Steals credentials, tampers with security controls, exfiltrates data, and deploys Medusa ransomware

This combination of legitimate admin tools and rapid execution makes activity harder to distinguish from normal IT operations.

Impact on IT administrators

Organizations in healthcare, education, professional services, and finance have been heavily affected, particularly in the US, UK, and Australia. For administrators, the biggest risks are:

• Unpatched or newly disclosed vulnerabilities on internet-facing systems
• Poor visibility into exposed perimeter assets
• Overly permissive RDP and firewall settings
• Unmonitored use of RMM tools in production environments

The report also highlights the importance of detecting post-compromise behavior, not just blocking initial exploitation.

Recommended next steps

Security and IT teams should prioritize the following:

• Patch exposed systems quickly, especially web-facing applications
• Inventory and continuously monitor all external attack surface assets
• Review and restrict RMM tool usage to approved platforms and accounts
• Audit for unauthorized new admin accounts and firewall changes
• Monitor for suspicious use of PowerShell, PsExec, PDQ Deploy, and Impacket
• Ensure Defender and related detection rules are enabled and tuned
• Validate ransomware recovery plans, including offline backups and incident response workflows

Microsoft’s guidance reinforces a practical reality: if attackers can weaponize a flaw within days or even hours, security teams need both faster patching and stronger detection of lateral movement inside the network.