A Threat Actor Built for Speed
A financially motivated cybercrime group tracked as Storm-1175 is orchestrating what Microsoft describes as "high velocity ransomware campaigns" that leverage both well-known and previously undisclosed vulnerabilities to deliver Medusa ransomware at a pace that consistently outstrips organizations' ability to patch. Microsoft Threat Intelligence published its findings in a blog post on Monday, April 7, 2026, laying out the group's tactics, targeted sectors, and the specific vulnerabilities being weaponized.
The defining characteristic of Storm-1175's operations is the compressed timeline between initial access and ransomware deployment. According to Microsoft, the group moves from vulnerability exploitation through data exfiltration to final ransomware delivery "often within a few days and, in some cases, within 24 hours." That operational tempo presents a severe challenge for defenders who rely on standard patching cycles.
Sherrod DeGrippo, general manager of threat intelligence at Microsoft, told Dark Reading that given Storm-1175's speed, "patches should be prioritized immediately upon release."
Sectors and Regions in the Crosshairs
Microsoft's blog post noted that Storm-1175's recent intrusions have "heavily impacted healthcare organizations, as well as those in the education, professional services, and finance sectors" across Australia, the United Kingdom, and the United States. The group's proficiency in identifying exposed perimeter assets has made these campaigns particularly effective against organizations that are slow to reduce their external attack surface.
The N-Day Vulnerability Arsenal
Microsoft documented more than a dozen known vulnerabilities — commonly called N-days — that Storm-1175 has actively exploited. The group focuses on the window between a flaw's public disclosure and the widespread deployment of a patch, a period that historically gives threat actors the greatest advantage.
Among the most notable N-days tied to Storm-1175 are:
- CVE-2026-1731: A critical remote code execution vulnerability in BeyondTrust Remote Support and older versions of the vendor's Privileged Remote Access (PRA) software. First disclosed on February 6, it was added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog just one week later after coming under rapid attack.
- CVE-2025-31161: A critical authentication bypass flaw in CrushFTP's file transfer software that also became the subject of a public disclosure dispute last spring.
- CVE-2024-27198: Another critical authentication bypass vulnerability, this one affecting JetBrains' TeamCity platform, which saw mass exploitation within days of its public disclosure in March 2024.
- CVE-2023-21529: One of three Microsoft Exchange vulnerabilities included in the Patch Tuesday release for February 2023. Notably, exploitation activity for this CVE had not been confirmed prior to Monday's blog post.
Zero-Day Exploitation Signals Evolving Capabilities
Beyond N-days, Microsoft linked Storm-1175 to the exploitation of several zero-day vulnerabilities — flaws attacked before public disclosure — suggesting the group is expanding its capabilities or has gained access to new resources such as exploit brokers.
Two zero-days were specifically called out:
- CVE-2026-23760: A critical authentication bypass vulnerability in SmarterMail that was exploited by multiple threat groups, including the China-linked Storm-2603. Storm-1175 also weaponized this flaw approximately one week before it was publicly disclosed.
- CVE-2025-10035: A maximum-severity vulnerability in GoAnywhere's Managed File Transfer (MFT) License Servlet, likewise exploited roughly a week before public disclosure.
Microsoft was careful to contextualize these zero-day incidents. The blog post noted that "GoAnywhere MFT has previously been targeted by ransomware attackers, and that the SmarterMail vulnerability was reportedly similar to a previously disclosed flaw," suggesting that prior familiarity with these platforms may have lowered the barrier for zero-day exploitation. The company also emphasized that Storm-1175 still primarily leverages N-day vulnerabilities, and that the zero-day activity represents an evolution rather than a wholesale shift in methodology.
The Full Attack Chain: From Access to Ransomware
Microsoft Threat Intelligence outlined the full sequence of tactics Storm-1175 employs once initial access is achieved. The group uses remote monitoring and management (RMM) software for lateral movement across compromised environments. For credential harvesting, actors use Impacket, a well-known collection of Python-based tools for network protocols. Data exfiltration is conducted via Rclone, a command-line utility commonly abused by ransomware operators to stage and transfer stolen data to attacker-controlled infrastructure.
Tampering with Microsoft Defender Antivirus
One of the more technically significant aspects of Storm-1175's operations is its ability to interfere with security software. Microsoft detailed how the group modifies Microsoft Defender Antivirus settings stored in the Windows registry, effectively clearing the path for Medusa ransomware payloads to execute without triggering alerts.
DeGrippo explained that this tampering prevents Defender from scanning the targeted system's C drive, allowing Medusa payloads to run silently. Critically, this technique requires the attacker to have already obtained access to highly privileged accounts — which is precisely why the credential dumping phase is so central to Storm-1175's attack chain.
As Microsoft Threat Intelligence wrote in the blog post: "Prioritizing alerts related to credential theft activity, which typically indicate an active attacker in the environment, is essential to responding to ransomware signals and preventing attackers from gaining privileged account access."
Defensive Recommendations
Microsoft offered several concrete mitigations for organizations seeking to reduce their exposure to Storm-1175 and similar threats:
- Enable tamper protection in Windows Defender Antivirus across the entire tenant to prevent unauthorized modification of security settings.
- Use the "DisableLocalAdminMerge" setting to block threat actors from exploiting local administrator privileges to add antivirus exclusions.
- Isolate web-facing systems from the public internet wherever possible. Any servers that must remain publicly accessible should be placed behind a web application firewall, proxy server, or demilitarized zone (DMZ).
- Implement Windows Credential Guard, a security feature that protects credentials stored in process memory against dumping tools like Impacket.
- Patch critical vulnerabilities immediately upon release, rather than waiting for standard maintenance windows, given the group's demonstrated ability to exploit flaws within days of disclosure.
The Broader Patching Problem
Storm-1175's campaigns are a stark illustration of a persistent challenge in enterprise security: the gap between vulnerability disclosure and patch deployment continues to be one of the most reliably exploitable conditions in the threat landscape. When a critical flaw is publicly disclosed, the clock starts ticking — and groups like Storm-1175 have demonstrated they can move faster than most organizations' change management processes allow.
The targeting of healthcare, education, professional services, and finance — sectors that often struggle with resource constraints around security operations — underscores how deliberately threat actors select victims they believe are less likely to have patched quickly or to detect intrusions before ransomware is deployed.
For organizations in these sectors operating in Australia, the United Kingdom, or the United States, the message from Microsoft is unambiguous: speed of patching is no longer optional when adversaries are capable of going from exploitation to ransomware delivery within a single business day.
Source: Dark Reading