Microsoft has warned of a fast-moving ransomware campaign driven by the threat group Storm-1175. The attackers are exploiting web-facing systems using both N-day and zero-day vulnerabilities, ultimately deploying Medusa ransomware within hours.
Researchers say organizations can go from initial compromise to full network encryption in as little as 24 hours, making this one of the more aggressive ransomware playbooks observed recently.
Fast Exploitation of Web-Facing Systems
Storm-1175 focuses on:
- Internet-exposed applications
- File transfer platforms
- Mail servers
- Remote management interfaces
The group scans for newly disclosed vulnerabilities and attacks before patching occurs — a window often called the N-day gap.
Microsoft analysts tracked the group exploiting more than 16 vulnerabilities across enterprise software.
Zero-Day Exploitation Observed
Beyond N-day attacks, Storm-1175 has also used zero-day vulnerabilities, including:
- CVE-2026-23760
- CVE-2025-10035
In both cases, exploitation occurred before public disclosure, giving attackers a significant advantage.
This tactic allows the group to gain access while defenders remain unaware.
Medusa Ransomware Deployment
Medusa operates under a ransomware-as-a-service model, allowing affiliates like Storm-1175 to deploy attacks at scale.
The ransomware uses double extortion:
- Encrypt victim systems
- Steal sensitive data
- Threaten public release
- Demand payment for decryption and silence
This increases pressure on victims to pay quickly.
Storm-1175 Post-Compromise Playbook 
Once inside, attackers follow a structured sequence:
1. Establish Persistence
- Deploy web shells
- Drop remote access payloads
- Create new user accounts
2. Lateral Movement
- Use legitimate RMM tools
- Blend activity with normal IT traffic
- Move across systems quietly
3. Defense Evasion
- Modify antivirus registry settings
- Disable protections
- Add drives to exclusion lists
Attackers often use encoded PowerShell commands to bypass detection.
Data Exfiltration Phase
Before encryption, the group steals data using:
- Bandizip for packaging
- Rclone for exfiltration
Data is uploaded to attacker-controlled cloud storage.
Ransomware Deployment at Scale
Storm-1175 then distributes ransomware using:
- PDQ Deployer
- Group Policy updates
- Domain-wide execution scripts
This enables simultaneous encryption across entire networks.
Early Warning Signs
Security teams should monitor for:
- New user account creation
- Credential theft activity
- Registry modifications
- Antivirus exclusion changes
- Unexpected RMM tool usage
- Suspicious PowerShell commands
These behaviors often appear before ransomware deployment.
Mitigation Recommendations
Organizations should:
Patch Quickly
- Prioritize internet-facing systems
- Patch KEV-listed vulnerabilities within 72 hours
Restrict RMM Tools
- Allow only approved applications
- Monitor remote management usage
Enforce MFA
- Require multi-factor authentication
- Protect privileged accounts
Monitor Antivirus Settings
- Audit exclusion paths
- Detect unauthorized changes
Improve Visibility
- Log account creation
- Monitor lateral movement
- Watch for data exfiltration
Key Takeaways
- Storm-1175 deploying Medusa ransomware rapidly
- Exploits both N-day and zero-day vulnerabilities
- Full compromise possible in 24 hours
- Uses legitimate tools for stealth
- Double extortion increases pressure on victims
- Immediate patching and monitoring critical
Conclusion
Storm-1175 demonstrates how quickly modern ransomware operations move once attackers gain access. By exploiting newly disclosed vulnerabilities and using stealthy post-compromise techniques, the group can take down entire organizations in a single day.
Security teams should prioritize patching, monitor suspicious activity, and enforce strong access controls to reduce exposure.
