Storm-1175 Deploys Medusa Ransomware Within 24 Hours of Flaw Disclosure
Storm-1175 deploys Medusa ransomware within 24 hours of vulnerability disclosure.
Summary
Microsoft researchers identified Storm-1175, a sophisticated threat actor rapidly exploiting N-day vulnerabilities to deploy Medusa ransomware against healthcare and education sectors in the UK, US, and Australia. The group weaponizes flaws within hours of disclosure, using legitimate tools like AnyDesk and ConnectWise ScreenConnect for lateral movement, and disables antivirus via tamper tactics. Storm-1175 has exploited over 16 vulnerabilities since 2023, including zero-days, completing full attacks from initial access to data exfiltration in under 24 hours.
Full text
Security Cyber AttacksStorm-1175 Deploys Medusa Ransomware Within 24 Hours of Flaw Disclosure Microsoft researchers have uncovered a fast-moving group, Storm-1175, launching high-speed Medusa ransomware attacks against healthcare and education sectors in the UK, US, and Australia by exploiting security flaws in as little as 24 hours. byDeeba AhmedApril 8, 20263 minute read A notorious group of hackers is currently causing major disruption globally by deploying the devastating Medusa ransomware. Tracked by Microsoft Threat Intelligence as Storm-1175, these hackers have turned the gap between a security flaw being found and a fix being installed into a high-speed race. Microsoft researchers found that Storm-1175 specialises in hitting vulnerable perimeter assets, the systems and devices that connect a company’s private network directly to the public internet, that haven’t had their security updates yet. A 24-Hour Turnaround The group, reportedly, focuses on N-day vulnerabilities, which are security flaws that have already been reported to the public. While some hackers hide in a system for months, Storm-1175 often finishes the job in just a few days. In some cases, they have stolen data and locked down a whole network within 24 hours. “Storm-1175 rotates exploits quickly during the time between disclosure and patch availability,” Microsoft researchers noted. This pace was clear during a recent attack on a SAP NetWeaver system (tracked as CVE-2025-31324). The flaw was announced on April 24, 2025, and by April 25, the group was already using it to launch Medusa ransomware operations. This efficiency has caused big problems for schools, law firms, and hospitals across the United Kingdom, the United States, and Australia. Vulnerabilities exploitation and disclosure timeline (Image Credit: Microsoft Common Tools Used for Bad Ends Further investigation revealed that the group has exploited more than 16 different flaws since 2023, including software like Papercut (CVE-2023-27351) and JetBrains TeamCity (CVE-2024-27198). They are also surprisingly good at using zero-day exploits. In early 2026, they hit a service called SmarterMail (CVE-2026-23760) a full week before anyone knew a flaw existed. Once they get inside, they hijack everyday office tools like AnyDesk and ConnectWise ScreenConnect to move around without being noticed. Researchers noted in the blog post that they also use a tool called PDQ Deployer to spread the ransomware to every computer at once, while tools like Rclone and Bandizip are used to pack up and steal files. Storm-1175 attack chain (Image Credit: Microsoft Blinding the Computer’s Defence Storm-1175 is particularly good at security tampering because, after initial access, they often use special permissions to tell the computer’s own antivirus to ignore the C:\ drive by adding it to an exclusion path. This blinds the system, allowing the ransomware to run without being stopped. To stay safe, experts suggest that businesses need to be much quicker at installing updates. Using features like Tamper Protection can also stop hackers from turning off the antivirus. Expert Insights The sophistication of these campaigns sets them apart from typical cybercrime. In a comment shared with Hackread.com, Adrian Culley, a Senior Sales Engineer at SafeBreach, provided his perspective on the growing threat, explaining that Storm-1175 represents a major shift in how hackers operate. He noted that the group’s ability to weaponise new flaws in mere hours creates a dangerous mismatch for businesses that rely on slow, traditional security checks. “We’re seeing a clear escalation in the speed and coordination of operations tied to Storm-1175, particularly in how quickly newly disclosed and even zero-day vulnerabilities are being operationalized. This group, associated with Medusa ransomware, is moving from initial access to data exfiltration in hours, not days.” “It’s also important to distinguish this activity from similarly named groups like MedusaLocker, which rely more on opportunistic access methods like RDP brute force. Storm-1175 is operating with a much more deliberate playbook, chaining exploits and leveraging remote management tooling to accelerate lateral movement and impact.” “The bigger issue this highlights is a growing mismatch between attacker speed and how organizations validate their defenses. Point-in-time assessments and static scanning aren’t built for this pace. Security teams need continuous, real-world validation of how attacks actually progress through their environments, so they can identify and address exposure before it’s exploited.” Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCybersecurityMalwareMedusaMicrosoftRansomwareStorm-1175Vulnerability Leave a Reply Cancel reply View Comments (0) Related Posts Cyber Events Cyber Attacks Ghost Squad DDoS Black Lives Matter Website Because ‘All Lives Matter’ Attackers have found a new target and this time it's the official website of the Black Lives Matter movement. byWaqas Security Malware GreyEnergy: New malware targeting energy sector with espionage After BlackEnergy, critical infrastructure around the world is among key targets of the new malware called GreyEnergy. In… byWaqas Security New Ticketbleed Vulnerability Bleeds Like Old Heartbleed.. Literally Filippo Valsorda, a researcher from Cloudflare, recently discovered a bug in F5’s BIG-IP Networks. The flaw has been dubbed as Ticketbleed, keeping… byUzair Amir Security Techie buys Axon body camera from eBay; finds unencrypted police videos Upon analyzing the camera the researcher found a MicroSD card containing sensitive Police data. byWaqas
Indicators of Compromise
- cve — CVE-2025-31324
- cve — CVE-2023-27351
- cve — CVE-2024-27198
- cve — CVE-2026-23760
- malware — Medusa ransomware