Security

Medusa Ransomware: Storm-1175 Targets Web Assets

3 min read

Summary

Microsoft Threat Intelligence warns that Storm-1175 is rapidly exploiting vulnerable internet-facing systems to deploy Medusa ransomware, sometimes within 24 hours of initial access. The group’s focus on newly disclosed flaws, web shells, RMM tools, and fast lateral movement makes patch speed, exposure management, and post-compromise detection critical for defenders.

Need help with Security?Talk to an Expert

Storm-1175 and Medusa ransomware: Why this matters

Microsoft Threat Intelligence has published new research on Storm-1175, a financially motivated threat actor running fast-moving Medusa ransomware campaigns. The key concern for defenders is speed: the group targets exposed web-facing systems and can move from exploitation to ransomware deployment in as little as 24 hours.

For IT and security teams, this is another reminder that internet-facing assets, delayed patching, and weak visibility across perimeter systems create a narrow window for response.

What’s new

Microsoft says Storm-1175 has exploited more than 16 vulnerabilities since 2023, focusing on the gap between public disclosure and patch adoption. Targeted technologies include:

  • Microsoft Exchange
  • Ivanti Connect Secure and Policy Secure
  • ConnectWise ScreenConnect
  • JetBrains TeamCity
  • Papercut
  • SimpleHelp
  • CrushFTP
  • GoAnywhere MFT
  • SmarterMail
  • BeyondTrust

Notably, Microsoft also observed the actor using some zero-day exploits, including cases where exploitation happened a week before public disclosure.

How the attack chain works

After gaining access through a vulnerable web-facing asset, Storm-1175 typically:

  • Establishes persistence using a web shell or remote access payload
  • Creates new local accounts and adds them to administrator groups
  • Uses LOLBins such as PowerShell and PsExec
  • Moves laterally with RDP, sometimes enabling it through firewall changes
  • Relies on RMM tools like Atera, AnyDesk, ScreenConnect, MeshAgent, and SimpleHelp
  • Uses tools such as PDQ Deployer and Impacket for payload delivery and lateral movement
  • Steals credentials, tampers with security controls, exfiltrates data, and deploys Medusa ransomware

This combination of legitimate admin tools and rapid execution makes activity harder to distinguish from normal IT operations.

Impact on IT administrators

Organizations in healthcare, education, professional services, and finance have been heavily affected, particularly in the US, UK, and Australia. For administrators, the biggest risks are:

  • Unpatched or newly disclosed vulnerabilities on internet-facing systems
  • Poor visibility into exposed perimeter assets
  • Overly permissive RDP and firewall settings
  • Unmonitored use of RMM tools in production environments

The report also highlights the importance of detecting post-compromise behavior, not just blocking initial exploitation.

Security and IT teams should prioritize the following:

  • Patch exposed systems quickly, especially web-facing applications
  • Inventory and continuously monitor all external attack surface assets
  • Review and restrict RMM tool usage to approved platforms and accounts
  • Audit for unauthorized new admin accounts and firewall changes
  • Monitor for suspicious use of PowerShell, PsExec, PDQ Deploy, and Impacket
  • Ensure Defender and related detection rules are enabled and tuned
  • Validate ransomware recovery plans, including offline backups and incident response workflows

Microsoft’s guidance reinforces a practical reality: if attackers can weaponize a flaw within days or even hours, security teams need both faster patching and stronger detection of lateral movement inside the network.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Storm-1175Medusa ransomwarevulnerability managementweb-facing assetsMicrosoft Threat Intelligence

Related Posts

Security

Cloud Security Posture Management Trends for 2026

Frost & Sullivan’s 2025 Frost Radar shows cloud security posture management is shifting from periodic compliance checks to continuous, risk-based governance within CNAPP platforms. For IT and security teams, the key takeaway is clear: prioritize tools that unify posture, identity, workload, and data signals to reduce risk faster across multicloud environments.

Security

Microsoft CSP Security: New Partner Ecosystem Protections

Microsoft outlined how it is strengthening security across its Cloud Solution Provider ecosystem to reduce partner-led attacks on customer environments. The update focuses on tighter partner vetting, mandatory tenant security requirements, least-privilege access through GDAP, and stronger monitoring and response capabilities.

Security

Microsoft Frost Radar 2026: Cloud Runtime Security

Microsoft has been named a leader in Frost & Sullivan’s 2026 Frost Radar for Cloud/Application Runtime Security, highlighting its unified approach to cloud and application risk reduction. The recognition matters to security teams because it reflects a broader market shift toward prioritizing exploitable attack paths across code, cloud, runtime, identity, and SOC workflows.

Security

Quantum-Safe Security: Microsoft Targets 2029

Microsoft is accelerating its quantum-safe security roadmap and now aims to transition critical products and services to post-quantum cryptography by 2029. The update matters because IT teams need to start cryptographic inventory, crypto-agility planning, and TLS 1.3 modernization sooner as the risk timeline for quantum attacks moves closer.

Security

Securing AI Agents: MCP Tool Poisoning Risks

Microsoft Incident Response warns that as AI agents move from reading content to taking actions, poisoned Model Context Protocol (MCP) tool metadata can silently redirect agent behavior and expose sensitive data. The guidance outlines how to detect, contain, and prevent this emerging supply chain risk using controls across Copilot Studio, Entra, Purview, Defender, and Sentinel.

Security

Microsoft Security June 2026: Key Updates for IT

Microsoft’s June 2026 security updates introduce new protections for AI agents, stronger identity recovery in Entra, expanded multicloud coverage in Defender for Cloud, and more flexible reporting in Purview. These changes matter for IT and security teams because they improve visibility, speed remediation, and help protect identities, data, endpoints, and cloud workloads across hybrid environments.