Microsoft Warns of Critical Medusa Ransomware Attacks Exploiting 0-Day Flaws
Key Takeaways A sophisticated threat actor, Storm-1175, is deploying Medusa ransomware in high-speed campaigns. The group rapidly exploits “N-day” vulnerabilities and has demonstrated...
Key Takeaways
- A sophisticated threat actor, Storm-1175, is deploying Medusa ransomware in high-speed campaigns.
- The group rapidly exploits “N-day” vulnerabilities and has demonstrated zero-day capabilities, impacting critical internet-facing applications like file transfer tools and mail servers.
- Attacks are characterized by rapid compromise, often within 24 hours, followed by double extortion tactics.
- Microsoft Threat Intelligence has tracked Storm-1175 since 2023, observing its exploitation of over 16 known vulnerabilities.
Microsoft Warns of High-Speed Medusa Ransomware Attacks by Storm-1175
Organizations are confronting a severe and rapidly evolving threat from a ransomware campaign spearheaded by the advanced persistent threat group, Storm-1175. According to a recent advisory from Microsoft Threat Intelligence, this group is distinguished by its extreme operational tempo, capable of compromising and encrypting an entire network in as little as 24 hours from initial breach.
Table Of Content
Storm-1175’s primary modus operandi revolves around exploiting “N-day” vulnerabilities—publicly disclosed software flaws that remain unpatched in many systems. The group aggressively scans for internet-exposed applications, including file transfer utilities and mail servers, that are still running vulnerable software versions. Even a brief window of exposure, sometimes just a few days, is sufficient for these attackers to gain initial access.
Microsoft’s analysts have been monitoring Storm-1175 since 2023, attributing over 16 known vulnerability exploits across various enterprise platforms to the group. Beyond N-day exploitation, Storm-1175 has also demonstrated the capability to leverage zero-day flaws—vulnerabilities unknown to the public or vendor at the time of exploitation. Notable instances include the exploitation of CVE-2026-23760, a SmarterMail flaw, a full week prior to its public disclosure, and CVE-2025-10035 in Fortra’s GoAnywhere Managed File Transfer, which was exploited a week before its official announcement.
The ransomware deployed by Storm-1175 is Medusa, which operates as a Ransomware-as-a-Service (RaaS) platform. This model allows developers to lease their tools and infrastructure to affiliate groups such as Storm-1175. Medusa employs a double extortion strategy: victims’ data is both encrypted and exfiltrated, with attackers threatening public release if the ransom demand is not met. This tactic significantly increases pressure on victim organizations, creating both immediate operational disruption and long-term data exposure risks. Industries heavily reliant on internet-facing platforms are particularly susceptible to Storm-1175’s campaigns.

Storm-1175’s Post-Compromise Tactics
Once Storm-1175 breaches a target environment, the group follows a meticulously planned sequence of actions. Initial access is typically followed by the deployment of a web shell or a remote access payload. This persistent backdoor ensures continued access to the compromised system, even if the original entry point is patched. The creation of new user accounts early in the attack chain provides an additional, redundant access path into the network.
Subsequently, Storm-1175 employs legitimate remote monitoring and management (RMM) tools to blend their activities with normal IT traffic, facilitating lateral movement across internal systems without triggering immediate security alerts. To further evade detection, the group manipulates Microsoft Defender Antivirus settings within the Windows registry, a step requiring elevated privileges. Attackers also utilize encoded PowerShell commands to add entire drives to antivirus exclusion lists, effectively disabling security software from scanning critical areas. Concurrently, credential theft operations target high-privilege accounts necessary for widespread ransomware deployment.
For the final stage of the operation, Storm-1175 leverages Bandizip to package exfiltrated files and Rclone to transfer this data to attacker-controlled cloud storage. PDQ Deployer is then used to execute a script named RunFileCopy.cmd, which pushes Medusa ransomware payloads to all accessible machines. In some scenarios, the group exploits elevated privileges to force a Group Policy update, allowing for simultaneous ransomware deployment across every system within the domain.
What You Should Do
- Patch Immediately: Prioritize patching all internet-facing systems without delay. For vulnerabilities listed in the CISA Known Exploited Vulnerabilities catalog, patching within 72 hours is critical.
- Monitor for Early Indicators: Implement robust monitoring for alerts related to credential theft, unauthorized registry modifications, and the creation of new user accounts, as these are strong indicators of active intrusion.
- Restrict RMM Tools: Limit the use of remote monitoring and management tools to only approved applications and enforce strict access controls.
- Enforce Multi-Factor Authentication (MFA): Implement MFA for all privileged accounts and critical systems to prevent unauthorized access even if credentials are stolen.
- Audit Antivirus Exclusions: Regularly audit antivirus exclusion paths to detect and rectify any unauthorized modifications that attackers might use to bypass security software.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.